Active DirectoryMigration Guide
Active Directory Migration Guide
Prepared by
Microsoft
Version 1.0.0.0 Baseline
First published
17 March 2008
Copyright
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Engl
Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface
Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either register
Corporation in the United States and/or other countries.
© Microsoft Corporation and Crown Copyright 2008
Disclaimer
At the time of writing this document, Web sites are referenced using active hyperlinks to the
time, these links may become invalid. Microsoft is not responsible for the content of external
The example companies, organisations, products, domain names, e
association with any real company, organisation, product, domain name, e
Active DirectoryVersion 1.0.0.0
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Engl
are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface
for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Crown Copyright 2008
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in
these links may become invalid. Microsoft is not responsible for the content of external Internet sites.
The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No
association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
Active Directory Migration Guide 1.0.0.0 Baseline
Prepared by Microsoft
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property
are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.
ed trademarks or trademarks of Microsoft
correct Web page. Due to the dynamic nature of Web sites, in
s, people, places, and events depicted herein are fictitious. No
mail address, logo, person, places, or events is intended or should be inferred.
Page ii
Active DirectoryVersion 1.0.0.0
TABLE OF CONTENTS
1 Executive Summary ................................
2 Introduction ................................
2.1 Value Proposition ................................
2.2 Knowledge Prerequisites
2.2.1 Skills and Knowledge
2.2.2 Training and Assessment
2.3 Infrastructure Prerequisites
2.4 Audience ................................
2.5 Assumptions ................................
3 Using This Document ................................
3.1 Document Structure ................................
4 Envision ................................
4.1 Active Directory Overview
4.2 Initial State Environment
4.2.1 Public Domain Active Directory Migration Guidance
4.2.2 Microsoft Healthcare Platform Optimisation Active Directory Migration Gu
4.2.3 Technology Scenarios
4.3 End State Environment
5 Plan ................................................................
5.1 Migration Type ................................
5.1.1 New Active Directory or In
5.1.2 Direct or Phased Migration
5.2 Evaluating the Existing Environment
5.3 Scope of Migration ................................
5.3.1 Users ................................
5.3.2 Groups ................................
5.3.3 Computers ................................
5.3.4 Printers ................................
5.3.5 Data ................................
5.3.6 Login Scripts ................................
5.4 Migration Process ................................
5.4.1 Manual Migration ................................
5.4.2 Automated Migration
5.5 Migration Tools Available
5.5.1 Migrating from Microsoft Operating Systems
5.5.2 Migrating from Novell NetWare Operating Systems
Active Directory Migration Guide 1.0.0.0 Baseline
ONTENTS
................................................................................................
................................................................................................................................
................................................................................................
Knowledge Prerequisites ................................................................................................
Skills and Knowledge ................................................................................................
Training and Assessment ................................................................................................
Infrastructure Prerequisites ................................................................................................
................................................................................................................................
................................................................................................
................................................................................................
................................................................................................
................................................................................................................................
Active Directory Overview ................................................................................................
Initial State Environment ................................................................................................
Public Domain Active Directory Migration Guidance ................................
Microsoft Healthcare Platform Optimisation Active Directory Migration Gu
Technology Scenarios ................................................................................................
................................................................................................
................................................................................................
................................................................................................
New Active Directory or In-Place (Upgrade) Migration ................................
Direct or Phased Migration ................................................................................................
Evaluating the Existing Environment ................................................................
................................................................................................
................................................................................................................................
...............................................................................................................................
................................................................................................
..............................................................................................................................
................................................................................................................................
................................................................................................
................................................................................................
................................................................................................
Automated Migration ................................................................................................
Migration Tools Available ................................................................................................
Migrating from Microsoft Operating Systems ................................................................
Migrating from Novell NetWare Operating Systems ................................
Prepared by Microsoft
Page iii
....................................................... 1
.................................... 2
...................................................... 2
.......................................... 2
.......................................... 2
.................................... 3
...................................... 3
................................... 3
............................................................. 3
.................................................... 4
.................................................. 4
.......................................... 5
........................................ 5
........................................... 5
.......................................................... 6
Microsoft Healthcare Platform Optimisation Active Directory Migration Guidance ............. 6
......................................... 7
............................................. 9
............................................... 10
........................................................ 10
..................................................... 11
................................ 12
...................................................... 12
.................................................. 13
................................. 14
............................... 15
......................................................... 15
.............................. 17
................................... 17
...................................................... 17
................................................... 18
............................................... 18
......................................... 18
....................................... 18
.................................... 18
......................................................... 22
Active DirectoryVersion 1.0.0.0
6 Develop ................................
6.1 Windows NT 4.0 Domain or Active Directory Migration
6.1.1 ADMT Prerequisites
6.1.2 Installing ADMT ................................
6.1.3 Enabling Password Migration
6.1.4 Configuring ADMT ................................
6.1.5 ADMT Option File and Include File
6.2 Novell NetWare Migration
6.2.1 Microsoft SfN Prerequisites
6.2.2 Installing Microsoft Services for Netware
6.2.3 Directory Synchronisation Using MSDSS
6.2.4 Password Synchronisation Using MSDSS
7 Stabilise ................................
7.1 Migration Test Process
7.1.1 Pilot ................................
7.2 Reviewing Log Files................................
7.2.1 Microsoft Migration Logs
7.2.2 Novell Migration Logs
APPENDIX A Skills and Training Resources
PART I Microsoft Active Directory 2003
PART II Active Directory Migration
APPENDIX B ADMT Sample Option File
APPENDIX C Document Information
PART I Terms and Abbreviations
PART II References ................................
Active Directory Migration Guide 1.0.0.0 Baseline
................................................................................................................................
Windows NT 4.0 Domain or Active Directory Migration ................................
ADMT Prerequisites ................................................................................................
................................................................................................
Enabling Password Migration ................................................................
................................................................................................
Option File and Include File ................................................................
Novell NetWare Migration ................................................................................................
Microsoft SfN Prerequisites ...............................................................................................
Installing Microsoft Services for Netware ................................................................
Directory Synchronisation Using MSDSS ................................................................
Password Synchronisation Using MSDSS ................................................................
................................................................................................................................
................................................................................................
................................................................................................................................
................................................................................................
crosoft Migration Logs ................................................................................................
Novell Migration Logs ................................................................................................
Skills and Training Resources ................................................................
Microsoft Active Directory 2003 ................................................................
Active Directory Migration ................................................................
ADMT Sample Option File ................................................................
Document Information ..............................................................................................
Terms and Abbreviations ................................................................................................
................................................................................................
Prepared by Microsoft
Page iv
......................................... 27
......................................................... 27
.......................................... 27
................................................. 35
............................................................ 38
............................................. 41
................................................... 46
....................................... 49
............................... 49
.......................................... 53
......................................... 56
........................................ 60
........................................ 61
........................................... 61
................................... 61
................................................ 62
................................... 62
........................................ 62
................................................. 63
........................................................ 63
............................................................. 63
........................................................ 64
.............................. 66
.................................. 66
.................................................... 67
Active DirectoryVersion 1.0.0.0
1 EXECUTIVE SUMMARY
The Active Directory MigrationMicrosoft® Windows Server® 2003 Active Directorybring about a reduction in diversity of
The Active Directory Design Guiderequired to design a new Active Directory infrastructure. This document Guide) provides guidance and current best practice specific to planning and creation of an Active Directory migration solution.
This document includes guidance for
� Microsoft Windows NT
� Microsoft Windows® 2000 Se
� Microsoft Windows Server 2003 Active Directory
� Novell Directory Services
1 Active Directory Design Guide {R1}: http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirecto
Active Directory Migration Guide 1.0.0.0 Baseline
UMMARY
Migration Guide will help accelerate the planning and subsequent 2003 Active Directory® within a healthcare organisation
bring about a reduction in diversity of server operating systems.
Active Directory Design Guide1 provides a healthcare organisation with the information a new Active Directory infrastructure. This document (Active Directory Migration
provides guidance and current best practice specific to the healthcare industry planning and creation of an Active Directory migration solution.
This document includes guidance for a healthcare organisation migrating from the following:
Microsoft Windows NT® Server 4.0 domains
2000 Server Active Directory
Microsoft Windows Server 2003 Active Directory
Directory Services® (NDS) 4.x, 5.x and 6.x
: http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
Prepared by Microsoft
Page 1
subsequent migration to healthcare organisation, and help
the information Active Directory Migration
healthcare industry for the
migrating from the following:
Active DirectoryVersion 1.0.0.0
2 INTRODUCTION
At present, healthcare organisationsauthentication and providing access to resources. Should Active Directory within their environment, they need to first ascertain how the users, computers, applications, data and other resources will be migr
This document is a component of the strategic Microsoft infrastructure guidance provided through Microsoft Healthcare Platform Optimisationscripts and specific design decision2003 Active Directory from a number of different network operating systems
2.1 Value PropositionThis document provides guidance on the planning aspects required to carry out an Active Directory migration, and the tools and utilities that can be used
� Help identify potential design and deployment risks
� Provide rapid knowledge transfer to reduce the learning curve of designing an Directory migration solution
� Establish some preliminary design decisions before moving ahead with the
� Provide a consolidation of Directory migration that
� Focuses on guidance specific to
� Reduces the need for decision making
2.2 Knowledge PrerequisitesTo implement the recommendations and environmental infrastructure prerequisites should be in placeknowledge and skills to use the Active Directory Migration Guideand skill assessment resources to make the most of this guidance. The necessary infrastructure prerequisites are detailed in se
2.2.1 Skills and Knowledge
The technical knowledge and
� Windows Server 2003
� Active Directory design concepts
� Organisational Unit design
� Windows NT Server 4.0
� Administrative knowledge for maintaining users and computers
� NDS or Bindery (if migrating from
� NDS or Bindery object properties for mapping to Active Directory
� Migration Tools:
� Active Directory Migration Tool
� Microsoft Services for NetWare
Active Directory Migration Guide 1.0.0.0 Baseline
NTRODUCTION
healthcare organisations typically use one of a number of solutions authentication and providing access to resources. Should a healthcare organisationActive Directory within their environment, they need to first ascertain how the users, computers, applications, data and other resources will be migrated across.
This document is a component of the strategic Microsoft infrastructure guidance provided through Microsoft Healthcare Platform Optimisation. It provides current best practice guidance,
and specific design decision recommendations on migrating to Microsoft Windows Server Active Directory from a number of different network operating systems.
Value Proposition This document provides guidance on the planning aspects required to carry out an Active Directory
ion, and the tools and utilities that can be used. The guidance is designed to:
Help identify potential design and deployment risks
Provide rapid knowledge transfer to reduce the learning curve of designing an migration solution
some preliminary design decisions before moving ahead with the
Provide a consolidation of relevant and publicly available best practice guidance for Active that:
Focuses on guidance specific to healthcare scenarios
need for decision making by making recommendations where appropriate
Knowledge Prerequisites To implement the recommendations in this document effectively, a number of knowledgeand environmental infrastructure prerequisites should be in place. This section outlines t
to use the Active Directory Migration Guide, and provides suggested training and skill assessment resources to make the most of this guidance. The necessary infrastructure prerequisites are detailed in section 2.3.
Skills and Knowledge
minimum skills required to use the Deliverable are:
Windows Server 2003 Active Directory and Windows 2000 Server Active Directory
Active Directory design concepts
Organisational Unit design
4.0 operating system (if migrating from this environment
Administrative knowledge for maintaining users and computers
if migrating from a Novell® environment):
NDS or Bindery object properties for mapping to Active Directory
Active Directory Migration Tool, if migrating from a Microsoft environment
Microsoft Services for NetWare, if migrating from a Novell environment
Prepared by Microsoft
Page 2
solutions available for user a healthcare organisation wish to deploy
Active Directory within their environment, they need to first ascertain how the users, computers,
This document is a component of the strategic Microsoft infrastructure guidance provided through . It provides current best practice guidance, sample
Microsoft Windows Server
This document provides guidance on the planning aspects required to carry out an Active Directory is designed to:
Provide rapid knowledge transfer to reduce the learning curve of designing an Active
some preliminary design decisions before moving ahead with the migration
available best practice guidance for Active
by making recommendations where appropriate
effectively, a number of knowledge-based section outlines the required
, and provides suggested training and skill assessment resources to make the most of this guidance. The necessary infrastructure
required to use the Deliverable are:
Active Directory:
if migrating from this environment):
, if migrating from a Microsoft environment
Novell environment
Active DirectoryVersion 1.0.0.0
2.2.2 Training and Assessment
Guidelines on the basic skill setAPPENDIX A. These represent the courses mentioned are optional and can be provided by a variety of certified training partners.
2.3 Infrastructure PrerequisitesThe following are prerequisites fororganisation:
� Available hardware and Windows Server 2003 software for installing the migration tools
� Full administrative rights to all domains, servers and objects involved in the migration
2.4 Audience The guidance contained in this document is targeted at a variety of roles within the organisations. Table 1 provides a reading guide for this document, illustrsections of the document that are likely to be of most interest.described in section 3.1.
Role Document Usage
IT Manager Review the relevant areas within the
understand the justification and drivers, and to develop an
understanding of the implementation requirements
IT Architect Review the relevant areas within the document against
local architecture strategy and implementation plans
IT Professional/
Administrator
Detailed review and implementation of the guidance to
meet local requirements
Table 1: Document Audience
2.5 Assumptions The guidance provided in this document assumes that services and resources between sites already have suitable schemes to enable successful siteassigned to each participating underlying Domain Name System (DNS) require the use of unique IP Addressingadjoining sites for cross-site communication to function successfully. The use of NAT (Network Address Translation) within an by Microsoft.
Active Directory Migration Guide 1.0.0.0 Baseline
Training and Assessment
skill sets required to make best use of this Deliverable These represent the training courses and other resources available.
courses mentioned are optional and can be provided by a variety of certified training partners.
Infrastructure Prerequisites The following are prerequisites for using the Active Directory Migration Guide within
Available hardware and Windows Server 2003 software for installing the migration tools
Full administrative rights to all domains, servers and objects involved in the migration
dance contained in this document is targeted at a variety of roles within the provides a reading guide for this document, illustrating the roles and the
sections of the document that are likely to be of most interest. The structure of the
Usage Executive
Summary
Envision
Plan
the relevant areas within the document to
understand the justification and drivers, and to develop an
understanding of the implementation requirements
� �
Review the relevant areas within the document against
local architecture strategy and implementation plans
� � �
Detailed review and implementation of the guidance to
meet local requirements
� � �
The guidance provided in this document assumes that healthcare organisationsservices and resources between sites already have suitable Internet Protocol (IP
nable successful site-to-site communication (that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap). Active Directory and the underlying Domain Name System (DNS) require the use of unique IP Addressing
site communication to function successfully. The use of NAT (Network Address Translation) within an Active Directory environment is neither recommended nor supported
Prepared by Microsoft
Page 3
are detailed in and other resources available. However, all
courses mentioned are optional and can be provided by a variety of certified training partners.
ive Directory Migration Guide within a healthcare
Available hardware and Windows Server 2003 software for installing the migration tools
Full administrative rights to all domains, servers and objects involved in the migration
dance contained in this document is targeted at a variety of roles within the healthcare IT ating the roles and the
The structure of these sections is
Develop
Stabilise
Operate
�
� � �
healthcare organisations that want to share IP) Addressing
that is, unique IP Addressing schemes . Active Directory and the
underlying Domain Name System (DNS) require the use of unique IP Addressing schemes at site communication to function successfully. The use of NAT (Network
environment is neither recommended nor supported
Active DirectoryVersion 1.0.0.0
3 USING THIS D
This document is intended for use by migrate to Windows Server 2003 Active Directoryplanning and implementation of tasks involved.
3.1 Document StructureThis document contains four sections that deal with the project lifecycle, as illustrated in
� Envision
� Plan
� Develop
� Stabilise
Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more detail the MOF Executive Overview3
of activities for building, deploying and managing IT solutions. Rather than prescriseries of procedures, they are flexible enough to accommodate a broad range of IT projects.
Figure 1: MSF Process Model Phases and Document Structure
2 Microsoft Solutions Framework Core Whitepapers http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b
3 MOF Executive Overview {R3}: http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx
Active Directory Migration Guide 1.0.0.0 Baseline
DOCUMENT
This document is intended for use by healthcare organisations and IT administrators who wish migrate to Windows Server 2003 Active Directory. The document should be used to assist with the planning and implementation of a migration solution and as a reference guide for the most common
Document Structure sections that deal with the project lifecycle, as illustrated in
Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project
cribed in more detail in the Microsoft Solutions Framework Core White Papers3. The MSF Process Model and MOF describe a high
of activities for building, deploying and managing IT solutions. Rather than prescriseries of procedures, they are flexible enough to accommodate a broad range of IT projects.
: MSF Process Model Phases and Document Structure
Microsoft Solutions Framework Core Whitepapers {R2}: http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx
Prepared by Microsoft
Page 4
and IT administrators who wish to . The document should be used to assist with the
and as a reference guide for the most common
sections that deal with the project lifecycle, as illustrated in Figure 1:
Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project
Microsoft Solutions Framework Core White Papers2 and . The MSF Process Model and MOF describe a high-level sequence
of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.
fc886956790e&DisplayLang=en
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx
Active DirectoryVersion 1.0.0.0
4 ENVISION
The Envision phase addresses one of the most fundamentproject: unification of the project team behind a common vision. There must be a clear vision of what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a high-level view of the overall goals and constraints, will serve as an early form of planningthe stage for the more formal planning process that will take place during the planning phase.
Figure 2 acts as a high-level checklist, illustrating the sequence of events undertaken when envisioning an Active Directory migration
Active Directory Overview
Initial State Environment
End State Environment
Technology Scenarios
Figure 2: Sequence for Envisioning an Active Directory Migration
4.1 Active Directory OverviewActive Directory is the networkWindows Server 2003 operating systems. service that enables network authentication, administration and management of to an organisation running a Windows
4.2 Initial State EnvironmentA migration to Active Directory can be a complex undertaking and there are many different approaches to completing such a project. provide healthcare-specific guidance to reduce the Directory within a healthcare organisationrequirements for the migrationdesign recommendations, will reduce the time and ecomputers to Active Directory
Active Directory Migration Guide 1.0.0.0 Baseline
phase addresses one of the most fundamental requirements for success in any unification of the project team behind a common vision. There must be a clear vision of
what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a all goals and constraints, will serve as an early form of planning
the stage for the more formal planning process that will take place during the planning phase.
level checklist, illustrating the sequence of events that should be when envisioning an Active Directory migration within a healthcare organisation
Public DomainActive Directory
Migration Guidance
Microsoft Healthcare Platform Optimisation
Active Directory Migration Guidance
Microsoft Windows NT 4.0
Microsoft Windows 2000/2003 Active
DirectoryNovell Netware
Envisioning an Active Directory Migration
Active Directory Overview is the network-focused directory service included in the Windows 2000
Windows Server 2003 operating systems. Active Directory provides an extensiblnetwork authentication, administration and management of
to an organisation running a Windows-based network infrastructure.
Initial State Environment A migration to Active Directory can be a complex undertaking and there are many different approaches to completing such a project. Microsoft Healthcare Platform Optimisation
specific guidance to reduce the complexity of planning a migration to Active a healthcare organisation, thereby reducing the support and management
for the migration. The provision of a standardised design approach, including key design recommendations, will reduce the time and effort required to design and
within the healthcare organisation.
Prepared by Microsoft
Page 5
al requirements for success in any unification of the project team behind a common vision. There must be a clear vision of
what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a all goals and constraints, will serve as an early form of planning, and sets
the stage for the more formal planning process that will take place during the planning phase.
should be a healthcare organisation:
Novell Netware
focused directory service included in the Windows 2000 Server and an extensible and scalable
network authentication, administration and management of directory services
A migration to Active Directory can be a complex undertaking and there are many different Healthcare Platform Optimisation seeks to
a migration to Active , thereby reducing the support and management
. The provision of a standardised design approach, including key ffort required to design and migrate users and
Active DirectoryVersion 1.0.0.0
4.2.1 Public Domain Active Directory Migration Guidance
The Internet hosts many Web understanding the various aspects involved in a migrationnavigate, and can contain inconsistenciesprovide accurate and current best practice guidancepublicly available sources of information for from multiple current server operating systems
� Migrating from Windows NT Server 4.0 to Windows Server 2003 Actiprovides information on migration methods and Active Directory considerations
� Designing and Deploying Directory and Security Serviceschapters on both upgrading and restructuring Windows NT Directory domains
� ADMT v3 Migration Guide(ADMT) version 3 to migrate and restructure Windows NT Directory domains
� Migrating Novell NetWare to Windows S2003 Active Directory into an existing NetWare environment and on migrating NetWare Directory Service (NDS) objects to Active Directory
� Solution for Migrating File, Print, and Directory Services from NovellServer 2003, which provides solution. This information can be downloaded as a Microsoft Office Word document or browsed online:
� To download the Word document, visit the Download
� To view the information online, visit the Technet Library
� Microsoft Services for NetWare 5.03 White Paperreference information on
4.2.2 Microsoft Healthcare Platform Optimisation Migration Guidance
The guidance provided within this document is predominantly based on sources listed in section 4.2.1,healthcare industry. Coupled with this is current best practice guidance, which is provided to help
4 Migrating from Windows NT Server 4.0http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0
5 Designing and Deploying Directory and Security Serviceshttp://technet2.microsoft.com/windowsserver/en/library/d2ff1315
6 ADMT v3 Migration Guide {R6}: http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770
7 SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
8 Microsoft Word document available for download from NetWare to Windows Server 2003 {R8
9 Solution for Migrating File, Print, and Directory Services from Novell NetWare to Whttp://technet.microsoft.com/en-gb/library/bb496964.aspx
10 Services for NetWare 5.03 White Paperhttp://www.microsoft.com/windowsserver
Active Directory Migration Guide 1.0.0.0 Baseline
Public Domain Active Directory Migration Guidance
sites, documents and guidance that provide assistance in nding the various aspects involved in a migration. This information can be hard to
can contain inconsistencies or out-of-date information. This document seeks to provide accurate and current best practice guidance, much of which is based on publicly available sources of information for migrating to Active Directory. It also
server operating systems in use. These sources include:
Windows NT Server 4.0 to Windows Server 2003 Active Directoryprovides information on migration methods and Active Directory considerations
Designing and Deploying Directory and Security Services5, which provides chapters on both upgrading and restructuring Windows NT Server 4.0 domains
ADMT v3 Migration Guide6, which details how to use the Active Directory Migration Tool version 3 to migrate and restructure Windows NT Server 4.0 domains and Active
Migrating Novell NetWare to Windows Server 20037, details how to deploy Windows Server 2003 Active Directory into an existing NetWare environment and on migrating NetWare Directory Service (NDS) objects to Active Directory
Solution for Migrating File, Print, and Directory Services from Novell NetWare to Windows which provides information on planning, testing and deploying a migration
. This information can be downloaded as a Microsoft Office Word document or
To download the Word document, visit the Download Center8
To view the information online, visit the Technet Library9
Microsoft Services for NetWare 5.03 White Paper10, which provides detailed on the use of Services for NetWare (SfN)
Microsoft Healthcare Platform Optimisation Active Directory Migration Guidance
The guidance provided within this document is predominantly based on the information , which has only been included where it is deemed relevant to the
Coupled with this is current best practice guidance, which is provided to help
ows NT Server 4.0 to Windows Server 2003 {R4}: http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en
Deploying Directory and Security Services {R5}: http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx
.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en
SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
ilable for download from Solution for Migrating File, Print, and Directory Services from Novell R8}: http://go.microsoft.com/fwlink/?LinkID=46606
Solution for Migrating File, Print, and Directory Services from Novell NetWare to Windows Server 2003gb/library/bb496964.aspx
for NetWare 5.03 White Paper {R10}: http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx
Prepared by Microsoft
Page 6
Public Domain Active Directory Migration Guidance
provide assistance in . This information can be hard to
date information. This document seeks to is based on a number of
It also provides guidance
ve Directory4, which provides information on migration methods and Active Directory considerations
which provides specific 4.0 domains and Active
, which details how to use the Active Directory Migration Tool 4.0 domains and Active
details how to deploy Windows Server 2003 Active Directory into an existing NetWare environment and on migrating NetWare
NetWare to Windows information on planning, testing and deploying a migration
. This information can be downloaded as a Microsoft Office Word document or
detailed technical
Active Directory
the information in the which has only been included where it is deemed relevant to the
Coupled with this is current best practice guidance, which is provided to help a
19544062A6E6&displaylang=en
8cae1b593eb11033.mspx
01E9F7EF7342&displaylang=en
SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide {R7}:
Solution for Migrating File, Print, and Directory Services from Novell
indows Server 2003 {R9}:
Active DirectoryVersion 1.0.0.0
healthcare organisation make requirements.
The referenced documentation is not expected to be a universal solution for all organisations, but rather a set of design choices and best practices that can be used to local directory services migration is made, and how to implement that decision.
This Active Directory guidance endeavours not to repeat content from public documentation, but to provide a consolidated, organised and structured reference list to the documents4.2.1. It highlights recommendations when deviate from the current default installation configurations Windows Server 2003 Active Directory
4.2.3 Technology Scenarios
This guide aims to provide current bestcomputer accounts to Active Directorywhich a healthcare organisation
� Microsoft Windows NT
� Active Directory domain(s)
� Novell Netware® (either NetWare 3.x
The following diagrams in this section scenarios covered in this guidance
4.2.3.1 Microsoft Windows NT
Figure 3 represents a simple implementation of relationship between them:
Figure 3: Microsoft Windows NT 4.0 Domain S
Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains deployed within each physical location of between them, in order to share resources amongst
Active Directory Migration Guide 1.0.0.0 Baseline
decisions in order to plan a migration solution that meets their
The referenced documentation is not expected to be a universal solution for all , but rather a set of design choices and best practices that can be used to
migration solution, understand what decisions are available, why a decision is made, and how to implement that decision.
guidance endeavours not to repeat content from public documentation, but to dated, organised and structured reference list to the documents
. It highlights recommendations when it is appropriate for a typical healthcare organisationdeviate from the current default installation configurations of the tools available
Active Directory.
Technology Scenarios
aims to provide current best practice recommendations on how to migrate user and Active Directory. There are three scenarios covered by this guidance
a healthcare organisation can map their environment. These scenarios are:
Microsoft Windows NT Server 4.0 domain(s)
domain(s)
(either NetWare 3.x Binderies or NDS)
in this section represent some example environments andin this guidance.
Microsoft Windows NT Server 4.0
represents a simple implementation of two Windows NT 4.0 domains with a two
Scenario
Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains deployed within each physical location of the organisation. Trust relationships are then created
to share resources amongst the users.
Prepared by Microsoft
Page 7
plan a migration solution that meets their
The referenced documentation is not expected to be a universal solution for all healthcare , but rather a set of design choices and best practices that can be used to initiate the
solution, understand what decisions are available, why a decision
guidance endeavours not to repeat content from public documentation, but to dated, organised and structured reference list to the documents listed in section
healthcare organisation to of the tools available, when migrating to
how to migrate user and . There are three scenarios covered by this guidance, to
map their environment. These scenarios are:
and illustrate the
Windows NT 4.0 domains with a two-way trust
Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains are then created
Active DirectoryVersion 1.0.0.0
Figure 3 could, for example, representcomputer accounts reside, with resource domains distributed throughout the remthese resource domains then trust the account domain with a onecommon to find that a two-way trust
Whether there are only a few Windows NT 4.0 domains or over 100implementation of trust relationships between them, the migration of user and computer accountsto an Active Directory environment
4.2.3.2 Active Directory
Figure 4 represents the implementation of
Figure 4: Microsoft Windows 2000/2003 Active Directory
The migration from an existing Active Directory forestenvironment is included in this guidance2000 Server domain or forest including a migration of this type is for those deployed, but did not follow current bestinfrastructure. This can typically result from the deploymentDirectory requirement, and the project scope for the delivery of the application did not include a detailed design for Active Directory
A healthcare organisation can use of a new Active Directory design. They the Active Directory objects from one or more domain.
Active Directory Migration Guide 1.0.0.0 Baseline
for example, represent a centralised account domain where both , with resource domains distributed throughout the rem
hese resource domains then trust the account domain with a one-way trust; howeverway trust is used.
Windows NT 4.0 domains or over 100, with a complicated on of trust relationships between them, the migration of user and computer accounts
to an Active Directory environment is dealt with in a similar manner.
Active Directory
represents the implementation of an Active Directory directory service:
: Microsoft Windows 2000/2003 Active Directory Scenario
ng Active Directory forest to a current best practice Active Directory is included in this guidance. Migration information is provided from
and a Windows Server 2003 domain or forest. The purpose of ncluding a migration of this type is for those healthcare organisations that have Active Directory
follow current best practice guidance when designing the . This can typically result from the deployment of an application that
and the project scope for the delivery of the application did not include a Active Directory.
can use the Active Directory Design Guide {R1} to aid Active Directory design. They will then be able to use this migration guidance to migrate
bjects from one or more Active Directory domains to the new
Prepared by Microsoft
Page 8
both user and , with resource domains distributed throughout the remote sites. In turn,
way trust; however, it is also
with a complicated on of trust relationships between them, the migration of user and computer accounts
directory service:
a current best practice Active Directory from both a Windows . The purpose of
have Active Directory practice guidance when designing the Active Directory
that had an Active and the project scope for the delivery of the application did not include a
to aid in the production guidance to migrate
domains to the new Active Directory
Active DirectoryVersion 1.0.0.0
4.2.3.3 Novell NetWare
Figure 5 represents the implementation of a Novell NetWarethe healthcare organisation’s users and computers
Figure 5: Novell NetWare Scenario
This guidance covers in detail the options available and migrate from an NDS using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003 Directory. While this guidance focusguidance if migrating from an implementation of NetWare 3.x environment (that usesinformation).
4.3 End State EnvironmentThe Active Directory migrationthrough the process of making complex design and implementation decisions Active Directory infrastructure.
Whilst no Active Directory migrationhealthcare organisation to simplify the requirements. This will enable the new Active Directory environment
This guidance, when used with the organisation in implementing a directory service designs across the organisationdirectory services.
Active Directory Migration Guide 1.0.0.0 Baseline
Novell NetWare
represents the implementation of a Novell NetWare-based authentication mechanism for s users and computers:
in detail the options available and the current best practice methods to using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003
While this guidance focuses on these NetWare versions, it is still possible to use this implementation of a Novell eDirectory™ environment
that uses binderies to store user accounts and other resource
End State Environment Active Directory migration guidance in this document will help lead a healthcare organisation
g complex design and implementation decisions to migrate toinfrastructure.
migration guidance can be all encompassing, this document enables to simplify the decision process, whilst allowing them to
This will enable the organisation to migrate users, computers and other resources to the new Active Directory environment.
This guidance, when used with the Active Directory Design Guide {R1}, can assistin implementing a directory service that can reduce diversity in Active Directory
organisation, aiding in the supportability of the healthcare organisations
Prepared by Microsoft
Page 9
uthentication mechanism for
practice methods to using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003 Active
possible to use this environment or a Novell
binderies to store user accounts and other resource
a healthcare organisation to migrate to an
document enables a m to consider local
to migrate users, computers and other resources to
can assist a healthcare Active Directory
healthcare organisations’
Active DirectoryVersion 1.0.0.0
5 PLAN
The Plan phase is where the bulk of the implementation planning is completed. During this phasethe areas for further analysis are identified and a design process
Figure 6 acts as a high-level checklist, illustrating the sequence of events IT Architect need to determine when planning for healthcare organisation:
Figure 6: Sequence for Planning an Active Directory Migration
5.1 Migration Type The initial decisions to be made as part of a migration project new Active Directory environment and then the approach as to how objects will be migrated to it.
There are two ways in which a healthcare organisationenvironment. The current environment
� If a healthcare organisationActive Directory, it is possible to carry out an inand the new Active Directory environment
Active Directory Migration Guide 1.0.0.0 Baseline
phase is where the bulk of the implementation planning is completed. During this phasethe areas for further analysis are identified and a design process commences.
level checklist, illustrating the sequence of events that the IT Manager and IT Architect need to determine when planning for an Active Directory migration solution
an Active Directory Migration
ecisions to be made as part of a migration project are to first ascertain how to
environment and then the approach as to how objects will be migrated to it.
a healthcare organisation can build the new Active Directory he current environment may determine the way in which the environment
a healthcare organisation currently uses a Windows NT 4.0 domain or a Windows 2000 Active Directory, it is possible to carry out an in-place migration to Windows Server 2003 and the new Active Directory environment
Prepared by Microsoft
Page 10
phase is where the bulk of the implementation planning is completed. During this phase,
the IT Manager and ory migration solution within a
ascertain how to create the environment and then the approach as to how objects will be migrated to it.
can build the new Active Directory the environment is built:
domain or a Windows 2000 migration to Windows Server 2003
Active DirectoryVersion 1.0.0.0
� If a healthcare organisationenvironment that does not meet the needs of the Directory installation should
There are also two ways in which environment with the objects that should be migrated from the old environment
� A Direct migration approach involves the migration of all users, groups, computers, and any other objects required, typi
� A Phased migration approach enables while maintaining both the old and new environments using trust relationships or synchronisation tools during the transition period
5.1.1 New Active Directory or In
The decision on whether a new Active Directory environment is an in-place migration should considerbelow.
Important
The in-place migration approach is not available to Active Directory from Novell NetWare
The creation of a new Active Directory installation provides a clean environment populated with users or computers between the old and new environmentscan act as part of a rollback facility should issues occur during the migration.
A disadvantage of creating a new Active Directory installation is that all computers that are members of the old environment need to have theor automated/scripted process. The same need to be migrated. These disadvantages can be Active Directory Migration Tool (ADMT) or the Microsoft Directory Synchronization Services (MSDSS) utility.
It is important to also consider the hardware requirements for the inhealthcare organisation is assessingserver to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common approach is to install Windows NTdoes meet the hardware requirements of Windows Server 2003, and This server can then be upgraded to Windows Server 2003objects.
Caution
If a new server is to be purchased to install Windows NTServer 2003, ensure the hardware vendor provides new servers fail to run the Windows NT
Recommendation
It is recommended that a new Active Directory installation that can be designed from the ground up. Use the designing of the new Active Directory.
Active Directory Migration Guide 1.0.0.0 Baseline
a healthcare organisation currently uses Novell NetWare, or has an Active Directorydoes not meet the needs of the healthcare organisation
Directory installation should be deployed
There are also two ways in which a healthcare organisation can populate the new Active Directory with the objects that should be migrated from the old environment
A Direct migration approach involves the migration of all users, groups, computers, and any other objects required, typically within a one-time migration
approach enables a healthcare organisation to migrate various objects while maintaining both the old and new environments using trust relationships or synchronisation tools during the transition period
ew Active Directory or In-Place (Upgrade) Migration
whether a new Active Directory environment is created from a fresh iconsider some basic advantages and disadvantages
place migration approach is not available to healthcare organisations that are looking to migrate to Active Directory from Novell NetWare; therefore, they must use the new Active Directory method.
The creation of a new Active Directory installation provides a clean environment populated with users or computers that potentially no longer exist. It also allows a between the old and new environments and allows the old environment to remain in place
rollback facility should issues occur during the migration.
creating a new Active Directory installation is that all computers that are of the old environment need to have their computer accounts migrated
or automated/scripted process. The same process needs to take place for the user accounts that need to be migrated. These disadvantages can be addressed using migration tools such as the
tion Tool (ADMT) or the Microsoft Directory Synchronization Services
It is important to also consider the hardware requirements for the in-place migration approach. assessing an in-place migration from a Windows NT
server to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common
to install Windows NT 4.0 as a Backup Domain Controller (BDC) on a new server requirements of Windows Server 2003, and to promote this as the PDC
This server can then be upgraded to Windows Server 2003, retaining the user and computer
server is to be purchased to install Windows NT 4.0 and subsequently upgradeServer 2003, ensure the hardware vendor provides Windows NT 4.0 drivers for the server
the Windows NT 4.0 operating system properly, due to the lack of available drivers
It is recommended that a new Active Directory installation is deployed to introduce a clean environment can be designed from the ground up. Use the Active Directory Design Guide {R1
designing of the new Active Directory.
Prepared by Microsoft
Page 11
Active Directory healthcare organisation, a new Active
can populate the new Active Directory with the objects that should be migrated from the old environment:
A Direct migration approach involves the migration of all users, groups, computers, and any
to migrate various objects while maintaining both the old and new environments using trust relationships or
) Migration
from a fresh installation or some basic advantages and disadvantages as detailed
are looking to migrate to must use the new Active Directory method.
The creation of a new Active Directory installation provides a clean environment that is not . It also allows a clear distinction
ronment to remain in place, which
creating a new Active Directory installation is that all computers that are migrated through a manual
needs to take place for the user accounts that using migration tools such as the
tion Tool (ADMT) or the Microsoft Directory Synchronization Services
place migration approach. If a NT 4.0 domain, the
server to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common
kup Domain Controller (BDC) on a new server that promote this as the PDC.
retaining the user and computer
and subsequently upgraded to Windows drivers for the server because many
lack of available drivers.
a clean environment R1} to aid in the
Active DirectoryVersion 1.0.0.0
5.1.2 Direct or Phased
Once the decision has been made on how to implement the new Active Directory envdecision needs to be made on whether the migration takes a
A direct migration is one that involves the migration of all objects including servers, users, groups, client computers, and so on, in a single, onewhere any earlier systems, such as a Windows NTlonger required (as all applications have been replaced or relocated away from these serversServers running Windows 2000 Server member server. This process should be fully tested in a test environment as an issue a rollback of changes, which could mean migrated to the new environment
A phased migration, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more manageable stages, therefore reducing rollback of the changes made. This is becausea specific stage, as opposed to an entire migration
Recommendation
It is recommended that a healthcare organisationcomplexity and size of their environment. This allows stages, cater for easier rollbackmigration.
In a phased migration, it is important to make both the old and new environments accessiblewhether through trusts or synchronisation. In a Windowsthrough the use of external trust relationshipstools to synchronise directory information.
5.2 Evaluating the Existing EnvironmentThe aim of evaluating the existing environment is to understandplace and to be aware of the risks involved in such a the potential for unforeseen issues
As part of the evaluation, a number of infrastructure areas should be assessed and documented as listed in Table 2:
Infrastructure
Area Comment
Network Diagram The current network should be documented
such as file server, Web server, database server
version, patch revision, and
Printers Ensure all printers currently used within the environment can continue to be used once migrated. Especially
in NetWare environments
ensure it can use TCP/IP. If not, the printer may need replacing.
Network stored
information
All information stored on the network servers needs to be identified, whether
data. The location of the data
requirements for data
Server operating
systems dependent
software
Ensure that if any software installed on a server to be
migration process. This involves documenting the version installed, any configuration and whether or not the
software can run on Windows Server 2003. If not, the software may need updating or repla
Active Directory Migration Guide 1.0.0.0 Baseline
Phased Migration
Once the decision has been made on how to implement the new Active Directory envdecision needs to be made on whether the migration takes a direct or phased approach.
involves the migration of all objects including servers, users, groups, in a single, one-time migration. This approach should only be used
such as a Windows NT 4.0 PDC or BDC, or a NetWare server, are no as all applications have been replaced or relocated away from these serversWindows 2000 Server that act as a domain controller can be demoted and act as a
member server. This process should be fully tested in a test environment as an issue could mean having to revisit all the computers that
migrated to the new environment.
, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more
therefore reducing the element of risk involved. This also allows easier . This is because the IT administrators have a more focused view on
as opposed to an entire migration completed at one time.
a healthcare organisation use the phased migration approach due to the potential their environment. This allows IT administrators to focus on easily managed
for easier rollback, should issues occur, as well as reducing the risk involved in a
In a phased migration, it is important to make both the old and new environments accessiblewhether through trusts or synchronisation. In a Windows-based environment, this can occur
trust relationships, whereas in a Novell environmenttools to synchronise directory information.
Evaluating the Existing Environment The aim of evaluating the existing environment is to understand the infrastructure that is currently in place and to be aware of the risks involved in such a migration project. The aim is to also reduce
issues, which may arise during the actual migration.
As part of the evaluation, a number of infrastructure areas should be assessed and documented as
The current network should be documented in a diagram to show the location of servers,
such as file server, Web server, database server, and so on. For each server, the
, patch revision, and the transport protocols that are in use should also be documented
Ensure all printers currently used within the environment can continue to be used once migrated. Especially
in NetWare environments, where a printer currently uses the Internetwork Packet Exchange (
ensure it can use TCP/IP. If not, the printer may need replacing.
All information stored on the network servers needs to be identified, whether it is user
he location of the data, who is responsible for it, which users have access to it and the security
requirements for data storage must also be noted.
any software installed on a server to be decommissioned is still required
migration process. This involves documenting the version installed, any configuration and whether or not the
software can run on Windows Server 2003. If not, the software may need updating or repla
Prepared by Microsoft
Page 12
Once the decision has been made on how to implement the new Active Directory environment, a approach.
involves the migration of all objects including servers, users, groups, ation. This approach should only be used PDC or BDC, or a NetWare server, are no
as all applications have been replaced or relocated away from these servers). act as a domain controller can be demoted and act as a
member server. This process should be fully tested in a test environment as an issue could require hat have already been
, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more
element of risk involved. This also allows easier the IT administrators have a more focused view on
use the phased migration approach due to the potential focus on easily managed
reducing the risk involved in a direct
In a phased migration, it is important to make both the old and new environments accessible, based environment, this can occur
whereas in a Novell environment, this involves using
tructure that is currently in project. The aim is to also reduce
which may arise during the actual migration.
As part of the evaluation, a number of infrastructure areas should be assessed and documented as
location of servers, and the server type,
the server operating system’s
should also be documented.
Ensure all printers currently used within the environment can continue to be used once migrated. Especially
Internetwork Packet Exchange (IPX) protocol,
is user data or application
, which users have access to it and the security
is still required, it is catered for in the
migration process. This involves documenting the version installed, any configuration and whether or not the
software can run on Windows Server 2003. If not, the software may need updating or replacing.
Active DirectoryVersion 1.0.0.0
Infrastructure
Area Comment
Local Area Networks
(LAN)/Wide Area
Networks (WAN) links
Along with the network diagram detailing the servers, it is also important to create a diagram
network links in place and the available bandwidth. This
User environment
properties
This includes the identification of login scripts, system or group policies in place, and home folder locations.
Health of current
domain or NDS
This primarily refers to the
domains or Active Directory, ensure replication is occurring properly between domain controllers and the
event viewer does not contain any unexpected errors. For Novell server
DSREPAIR to verify synchronisation.
Systems to be migrated Determine which servers are to be migrated or decommissioned. As part of this, understand which users,
groups, computers, files, and databases will be affected.
Table 2: Evaluating the Existing Environment
5.3 Scope of MigrationAs part of any migration project, it is important to understand all the components migrated. As part of the infrastructure documentation listed in Table systems to be migrated enablesincludes:
� Users
� Groups
� Computers
� Printers
� Data
� Login scripts
For each of these, document the
� Current name (including domain name if a user, group or computer account)
� Target name (especially if domain consolidation is part of the migrationcurrently share the same name
� Current location (both physical
� Target destination (the migrated, and the location of a server
Active Directory Migration Guide 1.0.0.0 Baseline
Along with the network diagram detailing the servers, it is also important to create a diagram
network links in place and the available bandwidth. This is a prerequisite for an Active Directory design.
This includes the identification of login scripts, system or group policies in place, and home folder locations.
This primarily refers to the synchronisation between servers but also to the server operating system. For NT4
domains or Active Directory, ensure replication is occurring properly between domain controllers and the
event viewer does not contain any unexpected errors. For Novell servers, use tools such as DSTRACE and
to verify synchronisation.
Determine which servers are to be migrated or decommissioned. As part of this, understand which users,
groups, computers, files, and databases will be affected.
Scope of Migration As part of any migration project, it is important to understand all the components
As part of the infrastructure documentation listed in Table 2, the evaluation of the enables each of the individual objects for migration to be identified
the details such as:
(including domain name if a user, group or computer account)
Target name (especially if domain consolidation is part of the migration currently share the same name)
Current location (both physically and logically within the domain or NDS Tree)
Target destination (the Active Directory organisational unit (OU) to whichthe location of a server if a physical move of the server tak
Prepared by Microsoft
Page 13
Along with the network diagram detailing the servers, it is also important to create a diagram that includes the
a prerequisite for an Active Directory design.
This includes the identification of login scripts, system or group policies in place, and home folder locations.
synchronisation between servers but also to the server operating system. For NT4
domains or Active Directory, ensure replication is occurring properly between domain controllers and the
s, use tools such as DSTRACE and
Determine which servers are to be migrated or decommissioned. As part of this, understand which users,
As part of any migration project, it is important to understand all the components that are to be evaluation of the
be identified. This
(including domain name if a user, group or computer account)
and multiple objects
DS Tree)
ich the object will be server takes place)
Active DirectoryVersion 1.0.0.0
5.3.1 Users
Different types of user accounts have different requirements aaccount can be placed into one of three categories
� IT administrator
� Service account
� Standard user
Migrating to a new Active Directory environmentappropriate administrative accounts are created. These administrative accounts are those used by members of the IT department or that are delegated certain permissions. These are not the day-to-day accounts for users, but rather the accounttasks.
Recommendations
Administrators, or those users being delegated administrative rights for certain job role functions, should not have administrative permissions account should be created with the appropriate rights as’ feature to carry out this portion of their responsibilities. For more information on the current practice method of using Run as, see the Windows Server 2003
The migration of user accounts
1. Administrative accounts
2. Service accounts
3. User accounts
If migrating from an NDS environment, a user is uniquely identified through the and not the common name (CN)could be specified as Anna, whereas another user existed in a different NDS organisational unit wian NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user account names must be unique across the whole domain, not just the
Note
The specific user account names
� Distinguished Name (DN)
� Relative Distinguished Name
� SamAccountName
If both users were to be migrated, the first user migrated would have the logon name Anna, but the second user would have the logon name Anna0. The information on naming conventions
Recommendation
If users exist with the same name, names of the users within NDS, to make them unique, prior to the migration.
The same process should be applied to users with the same name Windows NT or Active Directory domains
11 Using Run as {R11}: http://technet2.microsoft.com/windowsserver/en/library/8782f8ab
Active Directory Migration Guide 1.0.0.0 Baseline
Different types of user accounts have different requirements and access needs. Typically, a user account can be placed into one of three categories:
igrating to a new Active Directory environment provides an ideal opportunity to ensure that counts are created. These administrative accounts are those
used by members of the IT department or that are delegated certain permissions. These are not users, but rather the accounts that should be used to run adminis
Administrators, or those users being delegated administrative rights for certain job role functions, should administrative permissions granted to their normal day-to-day accounts. Instead, a separate
with the appropriate rights and permissions. The user should then feature to carry out this portion of their responsibilities. For more information on the current
method of using Run as, see the Windows Server 2003 Product Help Web
The migration of user accounts should be carried out using the following order:
If migrating from an NDS environment, a user is uniquely identified through the (CN). For example, when creating a user in NDS, a common name whereas the NDS distinguished name could be Anna Bedecs. If
in a different NDS organisational unit with the common name of Anna, but with an NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user account names must be unique across the whole domain, not just the OU, as is the case in NDS.
names that need to be unique in Active Directory are:
Distinguished Name (DN)
Relative Distinguished Name
If both users were to be migrated, the first user migrated would have the logon name Anna, but the second user would have the logon name Anna0. The Active Directory Design Guideinformation on naming conventions, including users with the same name.
If users exist with the same name, it is recommended that a healthcare organisationn NDS, to make them unique, prior to the migration.
The same process should be applied to users with the same name that currently exist in different Windows NT or Active Directory domains that are being restructured into a single Active Directory domain.
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx?mfr=true
Prepared by Microsoft
Page 14
nd access needs. Typically, a user
provides an ideal opportunity to ensure that counts are created. These administrative accounts are those that are
used by members of the IT department or that are delegated certain permissions. These are not should be used to run administrative
Administrators, or those users being delegated administrative rights for certain job role functions, should day accounts. Instead, a separate
should then use the ‘Run feature to carry out this portion of their responsibilities. For more information on the current best
page Using Run as11.
If migrating from an NDS environment, a user is uniquely identified through the distinguished name, a common name
Anna Bedecs. If th the common name of Anna, but with
an NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user as is the case in NDS.
If both users were to be migrated, the first user migrated would have the logon name Anna, but the Active Directory Design Guide {R1} provides
a healthcare organisation change the logon
currently exist in different are being restructured into a single Active Directory domain.
7bfd130c21c01033.mspx?mfr=true
Active DirectoryVersion 1.0.0.0
5.3.2 Groups
Groups are a common object found in all current server operating systems and must be catered for in the migration.
If migrating from NDS using MSDSSmigration will have a domain local securitysecurity groups will then be mapped to the corresponding NDS organi
In a Windows NT 4.0 environment, a local group is converted to a global group converts to a global security grouptheir groups is still required, Security Identification (SID) history must also be migrated. SID history migration is completed using ADMT v3, which can automatically configure thdomains as part of the installation and initial usage process.
Caution
A global group migration process can consume large amounts of network resourcesresources on the domain controller in the target domain. Therefore, a glocompleted outside of normal or peak working periods.
5.3.3 Computers
As with users, computers can
� Servers
� Desktops
� Portable computers
Each computer type will need environment. These computer types are discussed in more detail below.
5.3.3.1 Servers
Servers require particular focus and the amount of effort required to migrate them is highly dependent upon the current role they play
For example, a server running operating as an intranet Web site for users, could be However, a Novell NetWare server autcould require a lot more planning
Recommendation
Replacing existing directory-enabled services or applications with new Active Directoryis a task that should be performed independently of the migration of NetWare users, groups, distribution lists, organisational units, organisations, and files.
Active Directory Migration Guide 1.0.0.0 Baseline
Groups are a common object found in all current server operating systems and must be catered for
using MSDSS, any NDS organization or NDS OU that will be part of the migration will have a domain local security group created in Active Directory. These domain local security groups will then be mapped to the corresponding NDS organisation or NDS OU.
In a Windows NT 4.0 environment, a local group is converted to a domain local security group and to a global security group. If migrating groups, and user membership
their groups is still required, Security Identification (SID) history must also be migrated. SID history migration is completed using ADMT v3, which can automatically configure the old and new domains as part of the installation and initial usage process.
A global group migration process can consume large amounts of network resourcesresources on the domain controller in the target domain. Therefore, a global group migration should be completed outside of normal or peak working periods.
As with users, computers can also be placed into their different categories such as:
Each computer type will need different considerations when being migrated to the new These computer types are discussed in more detail below.
Servers require particular focus and the amount of effort required to migrate them is highly dependent upon the current role they play within the existing infrastructure.
running Windows Server 2003 configured as a member serversite for users, could be migrated without many configuration changes.
However, a Novell NetWare server authenticating users and running an unsupported require a lot more planning to migrate and potentially to decommission.
enabled services or applications with new Active Directoryis a task that should be performed independently of the migration of NetWare users, groups, distribution lists, organisational units, organisations, and files.
Prepared by Microsoft
Page 15
Groups are a common object found in all current server operating systems and must be catered for
will be part of the group created in Active Directory. These domain local
ation or NDS OU.
domain local security group and . If migrating groups, and user membership of
their groups is still required, Security Identification (SID) history must also be migrated. SID history e old and new
A global group migration process can consume large amounts of network resources, as well as local bal group migration should be
such as:
siderations when being migrated to the new
Servers require particular focus and the amount of effort required to migrate them is highly
configured as a member server, and configuration changes.
unsupported application
enabled services or applications with new Active Directory-enabled software is a task that should be performed independently of the migration of NetWare users, groups, distribution
Active DirectoryVersion 1.0.0.0
5.3.3.2 Desktops
Desktops are commonly seen as one of the easiest objects to migratethat need careful consideration
For example, in an environment where a computer currently runs a small application that requires the Microsoft Windows® 98 operating systembetween the server and client computer, Extension (DSClient) to be installed. These computers will therefore require a resource to manuallytakes additional time and planning.
Recommendation
It is highly recommended that if Windows 98 or Microsoft Windows NTpart of the new Active Directory environment, the DSClient is installed between the server and client computer Authentication).
In a NetWare environment, a computer would Windows software installed. As part of the migrationremoved and the computer would then use the Windows client for user authentication to the new environment. This Client32 software can through a login script or batch command file.
As part of a migration from a Microsoft or Novell environment,place, all desktops will need to be configured with new domain membership to become part of the new environment.
Important
One of the most common failures during a migration of computer accounts is due to the desktop computer being switched off and, as suchto all computer users informing them that computers must b
5.3.3.3 Portable Computers
Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to ethe computer accounts for these computers are migrated to the new environmentbecause the computers are not connected to the network outside of normal working hoursusers take the computers home.
It is important to have a proceworkplace to have them migrated during normal working hours. Alternatively, location for users to leave them overnight, or during other periods outside of normal working
Recommendation
A migration project should contain a schedule of which computer will be migrated should be clearly communicated to users srequired to be connected to the network for allotted timeframe.
Active Directory Migration Guide 1.0.0.0 Baseline
Desktops are commonly seen as one of the easiest objects to migrate. However, there areneed careful consideration and can sometimes be overlooked.
For example, in an environment where a computer currently runs a small application that requires operating system to operate, if secure communication is requi
between the server and client computer, the computer will require the Active Directory Client Extension (DSClient) to be installed. This is also the case for Windows NT 4.0 client computers. These computers will therefore require a resource to manually install the software requiredtakes additional time and planning.
It is highly recommended that if a healthcare organisation has computers with the Microsoft Windows 95or Microsoft Windows NT® Workstation 4.0 operating systems installed
new Active Directory environment, the DSClient is installed for more secure communication between the server and client computer (through the use of the NTLMv2 level of LAN Manager
are environment, a computer would typically have the Novell Client32 software installed. As part of the migration, the Client32 software would need to be
removed and the computer would then use the Windows client for user authentication to the new This Client32 software can either be removed manually or via a script
atch command file.
As part of a migration from a Microsoft or Novell environment, unless an in-place migration is taking place, all desktops will need to be configured with new domain membership to become part of the
ost common failures during a migration of computer accounts is due to the desktop computer as such, it cannot be migrated. It is important for a communication to be sent out
users informing them that computers must be left on for the duration of the migration.
Portable Computers
Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to e
for these computers are migrated to the new environmentbecause the computers are not connected to the network outside of normal working hoursusers take the computers home.
ss in place whereby users can bring their portable computers into the workplace to have them migrated during normal working hours. Alternatively, provide location for users to leave them overnight, or during other periods outside of normal working
A migration project should contain a schedule of which computer will be migrated and at what timeshould be clearly communicated to users so that they are aware when their portable computers are required to be connected to the network for successful migration and to help keep the project within the
Prepared by Microsoft
Page 16
owever, there are areas
For example, in an environment where a computer currently runs a small application that requires if secure communication is required
computer will require the Active Directory Client This is also the case for Windows NT 4.0 client computers.
the software required, which
Microsoft Windows 95®, systems installed, which will become
more secure communication (through the use of the NTLMv2 level of LAN Manager
have the Novell Client32 or Novell Client for the Client32 software would need to be
removed and the computer would then use the Windows client for user authentication to the new be removed manually or via a script that is run
place migration is taking place, all desktops will need to be configured with new domain membership to become part of the
ost common failures during a migration of computer accounts is due to the desktop computer cannot be migrated. It is important for a communication to be sent out
e left on for the duration of the migration.
Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to ensure
for these computers are migrated to the new environment. This is typically because the computers are not connected to the network outside of normal working hours, as
ss in place whereby users can bring their portable computers into the provide a secure
location for users to leave them overnight, or during other periods outside of normal working hours.
and at what time. This that they are aware when their portable computers are
help keep the project within the
Active DirectoryVersion 1.0.0.0
5.3.4 Printers
Printers are an important resource to users and access to them mustthe migration.
Important
If all printers used in a Novell environment are required to be migrated to the new environment, ethat the printers can be printed to using TCP/IP and not just IPX.
If migrating from a Windows-based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4Microsoft Windows 2000 or Microsoft Windows Server 2003
The Print Migrator Tool 3.1 can be downloaded from the Microsoft
A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded froDownload Web site13.
In a Novell environment, print queues made available through a NetWare server can still be through the Client Service for NetWare environment. For more information Server 2003 Product Help Web page
5.3.5 Data
In Novell environments, the File Migration Utility (FMU)using MSDSS, it is possible to complete a migration that incloption creates a migration log that the FMU can use to maintain users
In Microsoft environments, use a backup and restore method to migrate the data and such as Robocopy to ensure that any files updated by users during the backup and restore process are kept up to date. Shared folders 2003 Resource Kit tool (Permcopy.exepath to a target share path.
5.3.6 Login Scripts
Login scripts can currently take the form of batch files, such as a .(commonly referred to as a KIX script), or other proprietary scripting within a NetWare environment.into an Active Directory environment.
Active Directory provides the ability to specify a batch file (configured in the user properties) as thlogin script for individual usersPolicy objects (GPOs). Using GPOs, and shutdown scripts, providing
12 Print Migrator Tool 3.1 {R12}: http://download.microsoft.com/download/4/5/2/452d431e
13 Microsoft Print Migrator 3.1 {R13}: http://download.microsoft.com/download/2/e/5/2e57d536a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc
14 Client Service for NetWare {R14}: http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b
Active Directory Migration Guide 1.0.0.0 Baseline
Printers are an important resource to users and access to them must be maintained at all stages of
used in a Novell environment are required to be migrated to the new environment, eprinters can be printed to using TCP/IP and not just IPX.
based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4
Microsoft Windows Server 2003.
The Print Migrator Tool 3.1 can be downloaded from the Microsoft Download Web site
A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded fro
In a Novell environment, print queues made available through a NetWare server can still be Client Service for NetWare (CSNW), until the printers are migrated to the new
For more information on the CSNW, see the Client Service for NetWare Web page14.
In Novell environments, the File Migration Utility (FMU), which is part of SfN, can be usedusing MSDSS, it is possible to complete a migration that includes an option for a file migration. This option creates a migration log that the FMU can use to maintain users’ access rights to their data.
In Microsoft environments, use a backup and restore method to migrate the data and ensure that any files updated by users during the backup and restore process
Shared folders cannot be migrated, so a tool such as the WiPermcopy.exe) can be used to copy the permissions from a sour
Login scripts can currently take the form of batch files, such as a .cmd or .bat file, a KiXtart script (commonly referred to as a KIX script), or other proprietary scripting languages
in a NetWare environment. Migration of these scripts requires careful planning when migratinto an Active Directory environment.
Active Directory provides the ability to specify a batch file (configured in the user properties) as thlogin script for individual users. It also provides the batch file processing method
bjects (GPOs). Using GPOs, a healthcare organisation can specify startup, logon, logoff providing a very precise control over when the scripts are
http://download.microsoft.com/download/4/5/2/452d431e-5a5c-43bd-b398-6fc27208e001/printmig.exe
http://download.microsoft.com/download/2/e/5/2e57d536-2bb5a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-503439f6d1271033.mspx?mfr=true
Prepared by Microsoft
Page 17
be maintained at all stages of
used in a Novell environment are required to be migrated to the new environment, ensure
based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4.0,
Web site12.
A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded from the Microsoft
In a Novell environment, print queues made available through a NetWare server can still be used until the printers are migrated to the new
Client Service for NetWare Windows
can be used. When udes an option for a file migration. This
access rights to their data.
In Microsoft environments, use a backup and restore method to migrate the data and use a tool ensure that any files updated by users during the backup and restore process
a tool such as the Windows Server can be used to copy the permissions from a source share
file, a KiXtart script s typically found
Migration of these scripts requires careful planning when migrating
Active Directory provides the ability to specify a batch file (configured in the user properties) as the the batch file processing method when using Group
can specify startup, logon, logoff are run.
6fc27208e001/printmig.exe
2bb5-40f1-b52d-
503439f6d1271033.mspx?mfr=true
Active DirectoryVersion 1.0.0.0
5.4 Migration ProcessTwo options exist for a migration process; a manual migration, or an automated migration the use of tools. The option use
� The size of the migration
� Whether the objects that exist ininvalid object is when a user account exist
� The configuration of objects such as access control lists
5.4.1 Manual Migration
A manual migration process is one that involves regroup membership, and the securing of files and folders environment.
This option is typically used in an environment where:
� The number of objects to migrate is relatively small
� The objects need extensive
� The information to be migrated
� The investment in learning, installing and using the migration tools could take longer than the manual migration process itself
5.4.2 Automated Migration
An automated migration process uses tools to populate the new environment with information and data taken from the current environment. This option is typically used in situations where a large number of objects and files need to be migrated and these already exist in the current environment.
Recommendation
A healthcare organisation should use an automated migration procestypically found within the environment and
The tools available to use as part of the migration depend upon the platform migrated. The freely-available tools provimigrate to Active Directory in a migration.
5.5 Migration Tools AvailableA number of tools are available to assist in the migration to Active Directorshould be used is dependent on whether the migration is from a Microsoft or Novell environment, and the object that is migrated.
5.5.1 Migrating from Microsoft Operating Systems
When migrating from a Microsoftthe migration. Depending on what objects within the current environment the extent of control needed over these objects andtechnical abilities) can influence
Active Directory Migration Guide 1.0.0.0 Baseline
Migration Process Two options exist for a migration process; a manual migration, or an automated migration the use of tools. The option used is mainly dependent upon the following:
size of the migration (number of objects to migrate)
that exist in the current environment are valid or not (a user account exists for a user that has left employment
configuration of objects such as access control lists (ACLs) of files and so on
Manual Migration
A manual migration process is one that involves re-entering user accounts, computer accounts and the securing of files and folders that are copied across to the new
used in an environment where:
number of objects to migrate is relatively small
extensive updating due to inaccuracy of the objects’ properties
to be migrated is out of date and no longer required
ent in learning, installing and using the migration tools could take longer than the manual migration process itself
Automated Migration
An automated migration process uses tools to populate the new environment with information and ent environment. This option is typically used in situations where a large
number of objects and files need to be migrated and these already exist in the current environment.
should use an automated migration process due to the number of objects typically found within the environment and the data security already put in place.
The tools available to use as part of the migration depend upon the platform from which available tools provided by Microsoft enable a healthcare organisation
in a much faster and more efficient manner than using
Migration Tools Available A number of tools are available to assist in the migration to Active Directory. The specific tool that should be used is dependent on whether the migration is from a Microsoft or Novell environment, and the object that is migrated.
Migrating from Microsoft Operating Systems
When migrating from a Microsoft-based environment, a number of tools can be used to automate epending on what objects within the current environment are to
over these objects and the resources available (including their influence which tool is used.
Prepared by Microsoft
Page 18
Two options exist for a migration process; a manual migration, or an automated migration through
or not (an example of an has left employment)
(ACLs) of files and so on
entering user accounts, computer accounts and are copied across to the new
properties
ent in learning, installing and using the migration tools could take longer than
An automated migration process uses tools to populate the new environment with information and ent environment. This option is typically used in situations where a large
number of objects and files need to be migrated and these already exist in the current environment.
s due to the number of objects
from which objects are a healthcare organisation to
using manual
y. The specific tool that should be used is dependent on whether the migration is from a Microsoft or Novell environment,
can be used to automate are to be migrated, both
including their
Active DirectoryVersion 1.0.0.0
5.5.1.1 Active Directory Migration Tool
ADMT v3 is the free Microsoft tool downloaded from Microsoft Download Center
ADMT can be used to migrate Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory environment. ADMT also allows for the translation of security from the
ADMT can also be used to restructure domains currently in place. The Guide {R1} recommends the implementation of a single domain Active Directory fohealthcare organisation. Based upon this recommendationmultiple Windows NT 4.0 domainsrestructure these domains into
Important
When restructuring domains, the target native level or Windows Server 2003
ADMT can also be used to restructure infrastructure. Two types of restructuringintraforest.
An interforest restructure, as shown in Directory forests; typically faced organisations amalgamating and complexity and overhead:
Figure 7: Active Directory Interforest Restructure using ADMT
15 Active Directory Migration Tool v3.0 http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b
Active Directory Migration Guide 1.0.0.0 Baseline
Active Directory Migration Tool
is the free Microsoft tool that is available on a Windows Server 2003 CD or downloaded from Microsoft Download Center15.
can be used to migrate users, groups, service accounts, computers and trusts Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory
also allows for the translation of security from the old to the new environment.
be used to restructure domains currently in place. The Active Directory Design recommends the implementation of a single domain Active Directory fo
. Based upon this recommendation, an environment that multiple Windows NT 4.0 domains, such as account and resource domains, can
into a single domain Active Directory forest.
When restructuring domains, the target Active Directory domain functional level must be Windows Server 2003 level.
ADMT can also be used to restructure domains if migrating from an existing Active Directory . Two types of restructuring exist for Active Directory domains: interforest and
, as shown in Figure 7, involves migrating objects between forests; typically faced in a merger between organisations, such as two
s amalgamating and combining the IT infrastructure to reduce administrative
: Active Directory Interforest Restructure using ADMT
Active Directory Migration Tool v3.0 {R15}: http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en
Prepared by Microsoft
Page 19
is available on a Windows Server 2003 CD or that can be
users, groups, service accounts, computers and trusts from a Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory
to the new environment.
Active Directory Design recommends the implementation of a single domain Active Directory forest for a
that currently has can use ADMT to
domain functional level must be at Windows 2000
ctive Directory interforest and
involves migrating objects between Active a merger between organisations, such as two healthcare
the IT infrastructure to reduce administrative
aff85ad3d212&DisplayLang=en
Active DirectoryVersion 1.0.0.0
An intraforest restructure involves migrating objects between multiple domains within the same Active Directory forest as shown in
Figure 8: Active Directory Intraforest Restructure using ADMT
A major difference that can influence the decision fully understood:
� Objects during an intraforest environment.
� Objects in an interforest restructure are cloned, and place. In this case, a healthcare organisationan environment that could be rolled back to, should an issue occur.
Recommendation
A healthcare organisation migrating from a current Active Directory infrastructure shoulinterforest restructure migration method to ensure that the new environment contains only the required objects and has been designed according to the guidelines set out within the Guide {R1}. This provides the additional benefit of keeping the old environment intact should a rollback be required.
Only consider an intraforest restructure if the current Active Directory is in a managed collection of objects that are known to be up to datefollows the Active Directory Design Guide
ADMT can be run by using thre
� ADMT console
� Command line
� A script
When using ADMT through a command line, The option file contains the appropriate answers to the options availablemigrated. The include file contains the place.
Active Directory Migration Guide 1.0.0.0 Baseline
An intraforest restructure involves migrating objects between multiple domains within the same as shown in Figure 8:
: Active Directory Intraforest Restructure using ADMT
can influence the decision between these types of restructuring should be
an intraforest restructure are migrated and no longer exist
Objects in an interforest restructure are cloned, and therefore the original objects remain in a healthcare organisation would have the immediate benefit of having could be rolled back to, should an issue occur.
migrating from a current Active Directory infrastructure shoulinterforest restructure migration method to ensure that the new environment contains only the required
and has been designed according to the guidelines set out within the Active Directory Design This provides the additional benefit of keeping the old environment intact should a rollback be
Only consider an intraforest restructure if the current Active Directory is in a healthy state with a well managed collection of objects that are known to be up to date, and the design of the Active Directory
Active Directory Design Guide {R1} recommendations and/or is well documented.
ree different methods:
When using ADMT through a command line, both an option file and an include file the appropriate answers to the options available for the type of object being
contains the names of those objects to include when migration takes
Prepared by Microsoft
Page 20
An intraforest restructure involves migrating objects between multiple domains within the same
these types of restructuring should be
restructure are migrated and no longer exist in the old
the original objects remain in would have the immediate benefit of having
migrating from a current Active Directory infrastructure should use the interforest restructure migration method to ensure that the new environment contains only the required
Active Directory Design This provides the additional benefit of keeping the old environment intact should a rollback be
healthy state with a well and the design of the Active Directory
is well documented.
and an include file can be specified. for the type of object being
names of those objects to include when migration takes
Active DirectoryVersion 1.0.0.0
Recommendation
For a healthcare organisationEdition (VBScript), it is recommended that the command line methodand an include file. This provides the easiest methodbeing migrated, and in running the final migration.
By default, ADMT uses the Microsoft store. It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard2000 SP4 Enterprise Edition, or
Recommendation
It is recommended that healthcare organisationsconfigured during the installation of ADMT.
5.5.1.2 Password Export Server
The Password Export Server (PES) servicepasswords between the current and new environments. The PES service domain controller in the source domain to enable password m
For password migration to take place using the PES service, both the computer installed and the computer thatThis encryption is standard on domain controllers runServer Service Pack 3 (SP3) or required on a computer that does not currently support 128pack is available for download
For Windows 2000 Server, obtain Microsoft Download Center.
For Windows NT 4.0, if Microsoft Internet Explorerencryption. If not, Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is requiredwhich is available from the Microsoft Download Center
5.5.1.3 Third-Party Tools
Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require healthcare organisation to provenvironments.
Other migration tools are available for purchase from other companies, for example, QuestSoftware® has a Domain Migration Wizard product focusing on migrations from Windows NT,the Migration Manager for Active Directory product, for migrations and domain restructuring from Active Directory.
These tools can provide enhanced benefits such as:
� Complete rollback capabilities
� Directory synchronisation
� Post-migration clean-up of
� Detailed statistics of the migration
16 Windows 2000 High Encryption Pack (128http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A09DCAB4DA1C63&displaylang=en
17 Internet Explorer High Encryption Pack 4.0
Active Directory Migration Guide 1.0.0.0 Baseline
a healthcare organisation that does not have in-house expertise in Microsoft Visual Basic, it is recommended that the command line method is used, combined with an option file. This provides the easiest method to test a migration; it aids in documenting the objects
running the final migration.
Microsoft SQL Server® 2000 Desktop Engine (WMSDE) as its data It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard
Enterprise Edition, or Microsoft SQL Server® 2005.
healthcare organisations use the default WMSDE database storeconfigured during the installation of ADMT.
Password Export Server Service
The Password Export Server (PES) service, part of the ADMT download, allows the migration of passwords between the current and new environments. The PES service needs to be installed on a domain controller in the source domain to enable password migration.
For password migration to take place using the PES service, both the computer that will have the PES service installed require 128-
This encryption is standard on domain controllers running Windows Server 2003Server Service Pack 3 (SP3) or Windows 2000 Server Service Pack 4 (SP4). If installation is required on a computer that does not currently support 128-bit high encryption, a high encryption pack is available for download from Microsoft.
obtain the Windows 2000 High Encryption Pack (128
if Microsoft Internet Explorer® 5.5 is installed, this includes 128Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is required
icrosoft Download Center17.
Party Tools
Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require
to provide extra resource in planning, developing and migrating between
Other migration tools are available for purchase from other companies, for example, Questhas a Domain Migration Wizard product focusing on migrations from Windows NT,
the Migration Manager for Active Directory product, for migrations and domain restructuring from
These tools can provide enhanced benefits such as:
Complete rollback capabilities
Directory synchronisation
up of resources
Detailed statistics of the migration
Windows 2000 High Encryption Pack (128-bit) {R16}: http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3-
Internet Explorer High Encryption Pack 4.0 {R17}: http://go.microsoft.com/fwlink/?LinkId=76038
Prepared by Microsoft
Page 21
house expertise in Microsoft Visual Basic® Scripting combined with an option file
aids in documenting the objects
2000 Desktop Engine (WMSDE) as its data It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard, SQL Server
use the default WMSDE database store, as installed and
allows the migration of needs to be installed on a
For password migration to take place using the PES service, both the computer that has ADMT -bit high encryption.
ning Windows Server 2003, Windows 2000 . If installation is
bit high encryption, a high encryption
the Windows 2000 High Encryption Pack (128-bit)16 from the
5.5 is installed, this includes 128-bit high Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is required,
Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require a
ide extra resource in planning, developing and migrating between
Other migration tools are available for purchase from other companies, for example, Quest has a Domain Migration Wizard product focusing on migrations from Windows NT, and
the Migration Manager for Active Directory product, for migrations and domain restructuring from
Active DirectoryVersion 1.0.0.0
For more details on the tools available from Quest Software, visit the Directory Web page18.
Note
The information provided here on Quest Software tools is neither a recommendation norfor its use within a healthcare organisationtheir Active Directory migration project, careful assessment, planning and testing of the migration must still take place.
5.5.2 Migrating from Novell NetWare Operating Systems
When migrating from a Novell-the migration to Active Directory
5.5.2.1 Microsoft Services for NetWare
Microsoft Services for NetWare 5.03 (SfN) enables Server 2003 servers into an existing Novell NetWare networkNDS-based environment, and carry out a phased migration running the the NetWare environment in parallel.
SfN includes Microsoft Directory Services Synchroniz(FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT administrators to migrate and Microsoft Active Directory and a Novell NetWare Directory Service (NDS).
SfN also provides tools to aid in troubleshooting connectivity, login scripts and password synchronisation issues, as well as monitoring network traffic.writing this document, can be downloaded from the Microsoft
Note
SfN requires the installation opage.
File and Print Services for NetWare (FPNW) is a tool appear to be a NetWare 3.x server to client machines. FPNWsame Web page as SfN19.
18 Migration Tools for Active Directory
19 Microsoft Services for NetWare 5.03 SP2 and FPNW http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d
20 Novell Downloads {R20}: http://download.novell.com/index.jsp
Active Directory Migration Guide 1.0.0.0 Baseline
For more details on the tools available from Quest Software, visit the Migration Tools for Active
The information provided here on Quest Software tools is neither a recommendation nora healthcare organisation. If a healthcare organisation wishes to consider these tools for
their Active Directory migration project, careful assessment, planning and testing of the migration must still
Migrating from Novell NetWare Operating Systems
-based environment, a number of tools are available to help automate the migration to Active Directory, as described in this section.
Microsoft Services for NetWare
ces for NetWare 5.03 (SfN) enables a healthcare organisation to integrate Windows Server 2003 servers into an existing Novell NetWare network, whether this is a Bindery or
, and carry out a phased migration running the Windows environmin parallel.
ft Directory Services Synchronization (MSDSS) and the File Migration Utility (FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT
synchronise objects, and offer basic interoperability betweenMicrosoft Active Directory and a Novell NetWare Directory Service (NDS).
tools to aid in troubleshooting connectivity, login scripts and password as well as monitoring network traffic. SfN, version 5.03 SP2
writing this document, can be downloaded from the Microsoft Download Center
SfN requires the installation of the Novell Client for Windows available from the Novel
File and Print Services for NetWare (FPNW) is a tool that can make a Windows Server 2003 server a NetWare 3.x server to client machines. FPNW is available to download
Migration Tools for Active Directory {R18}: http://www.quest.com/active-directory/migration.aspx
Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}: http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en
http://download.novell.com/index.jsp
Prepared by Microsoft
Page 22
Migration Tools for Active
The information provided here on Quest Software tools is neither a recommendation nor an endorsement wishes to consider these tools for
their Active Directory migration project, careful assessment, planning and testing of the migration must still
Migrating from Novell NetWare Operating Systems
based environment, a number of tools are available to help automate
to integrate Windows whether this is a Bindery or
Windows environment and
ation (MSDSS) and the File Migration Utility (FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT
basic interoperability between, a
tools to aid in troubleshooting connectivity, login scripts and password SfN, version 5.03 SP219 at the time of Download Center.
available from the Novell Downloads20 Web
can make a Windows Server 2003 server is available to download from the
directory/migration.aspx
82a6a3af4be8&DisplayLang=en
Active DirectoryVersion 1.0.0.0
5.5.2.2 Microsoft Directory Services Synchronisation
MSDSS enables bidirectional synchronisation between Active Directory and NDS or eDirectory directory services. With MSDSS, synchronisation between the different directory servicesaccounts, to be updated in Active Directory; these updates are then synchronise
Table 3 describes in detail the following types of synchronisation
Synchronisation Type Description
Forward synchronisation A forward synchronisation is the process of synchronising data from Active Directory to Novell
(whether this is NDS, eDirectory or Bindery). The forward synchronisation process queries
Active Directory for new objects or existing objects th
been created, only this new object and its attributes are synchronised. If an existing object has
changed, then only the changes are synchronised, not the entire object.
Reverse synchronisation A reverse synchronisation is the process of synchronising data from Novell to Active Directory.
This type of synchronisation is less efficient than a forward synchronisation as MSDSS
compares all objects in NDS against those existing in Active Directory. I
changed or new ones created, they are synchronised in their entirety. Due to the way a reverse
synchronisation takes place, an increase in network traffic could be expected. Reducing the
frequency of synchronisation could help reduc
effect
out
One-way synchronisation A one
Novell environment and manage the directory service objects from Active Directory while
ensuring that the Novell
completed through an initial reve
synchronisations.
Two-way synchronisation A two
objects can be created and existing objects altered from
directory service. This is typically useful in environments where both Active Directory and NDS
are
Scheduled synchronisation A scheduled synchronisation ensures that changes are replicated from one directory service to
the other. By default, a forward synchronisation is carried out every 15 minutes, 24 hours a day.
A reverse synchronisation is carried out
increased network traffic caused by this type of synchronisation. If two
use, a different schedule can be configured for each direction.
Manual synchronisation A manual synchronisation can be initiated by an IT administrator to synchronise changes
immediately between one directory service and the other. This can be useful in situations where
a migration activity has taken place and a password change or disabled u
be synchronised
Password synchronisation A password synchronisation process can only take place if the passwords are changed from
Active Directory. A password sy
takes place, a user account is created in NDS as part of a two
password is changed in Active Directory.
It is not possible to synchronise passwords from a Novell directo
password scheme is used if either an
are
for the first logon. The user is then
Table 3: MSDSS Synchronisation Types
Recommendation
It is recommended that a healthcare organisationway forward synchronisations occurred, objects should be managed through Active Directory and any changeswill be synchronised to NDS.
Active Directory Migration Guide 1.0.0.0 Baseline
Microsoft Directory Services Synchronisation
enables bidirectional synchronisation between Active Directory and NDS or eDirectory y services. With MSDSS, a healthcare organisation can configure a one
synchronisation between the different directory services. This allows objects, such as user to be updated in Active Directory; these updates are then synchronise
describes in detail the following types of synchronisation that can occur as part of MSDSS
Description
A forward synchronisation is the process of synchronising data from Active Directory to Novell
(whether this is NDS, eDirectory or Bindery). The forward synchronisation process queries
Active Directory for new objects or existing objects that have been changed. If a new object has
been created, only this new object and its attributes are synchronised. If an existing object has
changed, then only the changes are synchronised, not the entire object.
A reverse synchronisation is the process of synchronising data from Novell to Active Directory.
This type of synchronisation is less efficient than a forward synchronisation as MSDSS
compares all objects in NDS against those existing in Active Directory. I
changed or new ones created, they are synchronised in their entirety. Due to the way a reverse
synchronisation takes place, an increase in network traffic could be expected. Reducing the
frequency of synchronisation could help reduce the network utilisation, but can have an adverse
effect on the data held within Active Directory and potentially cause Active Directory to
out of date.
A one-way synchronisation allows a healthcare organisation to introduce Active Directory into a
Novell environment and manage the directory service objects from Active Directory while
ensuring that the Novell directory service is kept up to date. This method of synchronisation is
completed through an initial reverse synchronisation followed by subsequent forward
synchronisations.
A two-way synchronisation is the same as a one-way synchronisation
objects can be created and existing objects altered from within Active
directory service. This is typically useful in environments where both Active Directory and NDS
are to be maintained.
A scheduled synchronisation ensures that changes are replicated from one directory service to
the other. By default, a forward synchronisation is carried out every 15 minutes, 24 hours a day.
A reverse synchronisation is carried out every hour from 00:00 (midnight) to 06:00
increased network traffic caused by this type of synchronisation. If two
use, a different schedule can be configured for each direction.
A manual synchronisation can be initiated by an IT administrator to synchronise changes
immediately between one directory service and the other. This can be useful in situations where
a migration activity has taken place and a password change or disabled u
be synchronised immediately, rather than waiting for the next scheduled synchronisation.
A password synchronisation process can only take place if the passwords are changed from
Active Directory. A password synchronisation occurs when an initial reverse synchronisation
takes place, a user account is created in NDS as part of a two-way synchronisation, or a
password is changed in Active Directory.
It is not possible to synchronise passwords from a Novell directory service to Active Directory.
password scheme is used if either an initial reverse synchronisation
are created in NDS. A password scheme is then used to determine what the password will be
for the first logon. The user is then prompted to change it once successfully logged on.
a healthcare organisation uses an initial reverse synchronisation, followed by oneway forward synchronisations configured with a default schedule. Once the initial synchronisation has occurred, objects should be managed through Active Directory and any changes, including passwords
ll be synchronised to NDS.
Prepared by Microsoft
Page 23
enables bidirectional synchronisation between Active Directory and NDS or eDirectory can configure a one-way or two-way
such as user to be updated in Active Directory; these updates are then synchronised across to NDS.
can occur as part of MSDSS:
A forward synchronisation is the process of synchronising data from Active Directory to Novell
(whether this is NDS, eDirectory or Bindery). The forward synchronisation process queries
at have been changed. If a new object has
been created, only this new object and its attributes are synchronised. If an existing object has
changed, then only the changes are synchronised, not the entire object.
A reverse synchronisation is the process of synchronising data from Novell to Active Directory.
This type of synchronisation is less efficient than a forward synchronisation as MSDSS
compares all objects in NDS against those existing in Active Directory. If any objects have been
changed or new ones created, they are synchronised in their entirety. Due to the way a reverse
synchronisation takes place, an increase in network traffic could be expected. Reducing the
e the network utilisation, but can have an adverse
cause Active Directory to become
to introduce Active Directory into a
Novell environment and manage the directory service objects from Active Directory while
date. This method of synchronisation is
followed by subsequent forward
way synchronisation except that additional
within Active Directory or the Novell
directory service. This is typically useful in environments where both Active Directory and NDS
A scheduled synchronisation ensures that changes are replicated from one directory service to
the other. By default, a forward synchronisation is carried out every 15 minutes, 24 hours a day.
midnight) to 06:00, due to the
increased network traffic caused by this type of synchronisation. If two-way synchronisation is in
A manual synchronisation can be initiated by an IT administrator to synchronise changes
immediately between one directory service and the other. This can be useful in situations where
a migration activity has taken place and a password change or disabled user account needs to
rather than waiting for the next scheduled synchronisation.
A password synchronisation process can only take place if the passwords are changed from
initial reverse synchronisation
way synchronisation, or a
ry service to Active Directory. A
initial reverse synchronisation is completed or new users
used to determine what the password will be
prompted to change it once successfully logged on.
an initial reverse synchronisation, followed by one-with a default schedule. Once the initial synchronisation has
including passwords,
Active DirectoryVersion 1.0.0.0
For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require extending. The Active Directory schema extensions enable
� Migration
� One-way synchronisation
� Two-way synchronisation
The NDS directory schema extensions
Note
As the recommendation is to use a onewithout the need to extend the NDS directory schema.
MSDSS provides the ability to migrate passwords from Active Directory to NDS, Bindery or eDirectory; however, it is not possible to migrate passwords from a Novell environment to Active Directory.
For this reason, when synchronising users during an initial scheme is used to specify what the password should be for new users in Active Directory. Four possible options are available,
Password Scheme Description
Set passwords to blank When this option is selected, users are created with a blank password
first time, the user will have to create a password.
Set passwords to the user name When
When logging on for the first time, the user will have to change this password.
Set passwords to random values When this option is selected, users are created with a
eight characters in length. When logging on for the first time, the user will have to change this
password.
This option is the most secure password scheme available. The random values are written to a
text file
Set all passwords to the following When this option is selected, users are created with a password that is specified within the fields
available in the Password Synchronisation Opti
the user will have to change this password.
Table 4: MSDSS Password Schemes
The following example text has been extracted from avalue password option:
Session 1: {21AD8B68- 2A42
Started: 01-31- 2008 08:21
jonathan jNA$3mR_h7
sagiv X.kQ#tu68B
jacqueline WJr+66Ru.e
rich +bq-I2ZxM4
ivo T%?Db3vZ2b
The first line provides the session identification and the second line synchronisation started. All subsequent lines synchronised followed by a randomly generated password.provides the most secure password scheme bucommunication of the new passwords to the
Active Directory Migration Guide 1.0.0.0 Baseline
For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require extending. The Active Directory schema extensions enable the following features
way synchronisation
isation
The NDS directory schema extensions are only required for a two-way synchronisation.
As the recommendation is to use a one-way synchronisation, it is possible to carry out the migration without the need to extend the NDS directory schema.
S provides the ability to migrate passwords from Active Directory to NDS, Bindery or it is not possible to migrate passwords from a Novell environment to Active
For this reason, when synchronising users during an initial reverse synchronisation, a password scheme is used to specify what the password should be for new users in Active Directory. Four
, as detailed in Table 4:
Description
When this option is selected, users are created with a blank password
first time, the user will have to create a password.
When this option is selected, users are created with a password that matches their user name.
When logging on for the first time, the user will have to change this password.
When this option is selected, users are created with a password that is set to a random value,
eight characters in length. When logging on for the first time, the user will have to change this
password.
This option is the most secure password scheme available. The random values are written to a
text file that members of the Administrators group on the domain controller can access.
When this option is selected, users are created with a password that is specified within the fields
available in the Password Synchronisation Options dialog box. When logging on for the first time,
the user will have to change this password.
text has been extracted from an MSDSS generated file
2A42-459e-BD29-F082F47E71B2}
2008 08:21
The first line provides the session identification and the second line displays the time and date the synchronisation started. All subsequent lines contain the username of the user account being
a randomly generated password. Choosing the random value option provides the most secure password scheme but also requires the most planning regarding the communication of the new passwords to the migrated users.
Prepared by Microsoft
Page 24
For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require the following features:
way synchronisation.
way synchronisation, it is possible to carry out the migration
S provides the ability to migrate passwords from Active Directory to NDS, Bindery or it is not possible to migrate passwords from a Novell environment to Active
reverse synchronisation, a password scheme is used to specify what the password should be for new users in Active Directory. Four
When this option is selected, users are created with a blank password. When logging on for the
this option is selected, users are created with a password that matches their user name.
When logging on for the first time, the user will have to change this password.
password that is set to a random value,
eight characters in length. When logging on for the first time, the user will have to change this
This option is the most secure password scheme available. The random values are written to a
members of the Administrators group on the domain controller can access.
When this option is selected, users are created with a password that is specified within the fields
ons dialog box. When logging on for the first time,
MSDSS generated file using the random
the time and date the the username of the user account being
Choosing the random value option t also requires the most planning regarding the
Active DirectoryVersion 1.0.0.0
Recommendation
It is recommended that a healthcare organisationbecause all other options would gain access to data and other resources
A communication should be created for all users, informing them new environment and any changes to the logon processand so on. This communication can also be used to relay what the userexample, creating a mail-merge document while uscommunications to be created directly
5.5.2.3 Microsoft File Migration Utility
The FMU enables the migration of files between a NetWare server and a Windows Server 2003 server, including the security permissions of those files. It also allows users to continually access the files during migration.
Prior to the use of the FMU, a migration of directory service objects must take place to enable the translation of file system rightspermissions in the NTFS file system. When available. Selecting this option creates a log fileensure users’ and groups’ effective rights permissions in the Windows environment.
Note
It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and folders can be granted to users, groups, organisational unitspermissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.
Using FMU, it is possible to view migration maps to see which objects from NDS are being mapped to the corresponding objects in Active Directory. The following maps are available to view:
� NDS organisational units and organisations to Active Directory group
� NDS group to Active Direc
� NDS user to Active Directory user
Using these migration maps allows an IT administrator to confirm the translation NDS to the corresponding objects in Active Directory.
When using the FMU, the source must always be a volume or ditarget must be a shared folder on a Windows Server 2003 or Windows 2000 allows for a single source to be mapped to multiple targets or multiple targets mapped to a single source.
Active Directory Migration Guide 1.0.0.0 Baseline
a healthcare organisation uses the option of setting passwords to random valueall other options would enable any user to logon using any other user’s migrated account and
and other resources to which they normally would not have access.
A communication should be created for all users, informing them of the time they will be migrated to changes to the logon process, as well as any new location
. This communication can also be used to relay what the user’s new password will be. For merge document while using the password file as a data source,
be created directly, focusing on the individual user.
Microsoft File Migration Utility
The FMU enables the migration of files between a NetWare server and a Windows Server 2003 including the security permissions of those files. It also allows users to continually access
a migration of directory service objects must take place to enable the translation of file system rights and permissions when migrating to the equivalent rights and permissions in the NTFS file system. When migrating using MSDSS, an option
this option creates a log file, which is then used by FMU as a mapping file to effective rights on the NetWare files are translated correctly to the
permissions in the Windows environment.
It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and
to users, groups, organisational units and organisations. It is not possible to specify permissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.
to view migration maps to see which objects from NDS are being mapped in Active Directory. The following maps are available to view:
NDS organisational units and organisations to Active Directory group
NDS group to Active Directory group
NDS user to Active Directory user
Using these migration maps allows an IT administrator to confirm the translation NDS to the corresponding objects in Active Directory.
When using the FMU, the source must always be a volume or directory on an NDS server and the target must be a shared folder on a Windows Server 2003 or Windows 2000 Server
o be mapped to multiple targets or multiple targets mapped to a single
Prepared by Microsoft
Page 25
the option of setting passwords to random values migrated account and
they normally would not have access.
they will be migrated to the as well as any new location for storing their data,
s new password will be. For ing the password file as a data source, allows
The FMU enables the migration of files between a NetWare server and a Windows Server 2003 including the security permissions of those files. It also allows users to continually access
a migration of directory service objects must take place to enable the and permissions when migrating to the equivalent rights and
, an option to migrate files is which is then used by FMU as a mapping file to
the NetWare files are translated correctly to the
It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and
and organisations. It is not possible to specify permissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.
to view migration maps to see which objects from NDS are being mapped in Active Directory. The following maps are available to view:
Using these migration maps allows an IT administrator to confirm the translation of objects from
rectory on an NDS server and the Server. The FMU
o be mapped to multiple targets or multiple targets mapped to a single
Active DirectoryVersion 1.0.0.0
5.5.2.4 Third-Party Tools
SfN provides a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require organisation to provide extra resource in planning, developing and migratenvironments.
Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or Bindery services to Active Directory.
NDS Migrator can provide enhanced benefits such as:
� A single tool for migration of both objects and data
� Does not require additional software installed on a domain controller
� Simple exclusion of unused, disabled or locked
� Supports a rollback facil
For more details on the NDS Migrator tool available from Quest Software, visit the Directory Services to Active Directory
Note
The information provided here on Quest Software tools is neither a recommendation nor an endorsement for its use within a healthcare organisationtheir Active Directory migration project, cartake place.
21 Migrate Novell Directory Services to Active Directory
Active Directory Migration Guide 1.0.0.0 Baseline
Party Tools
es a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require
to provide extra resource in planning, developing and migrating between
Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or Bindery services to Active Directory.
Migrator can provide enhanced benefits such as:
A single tool for migration of both objects and data
Does not require additional software installed on a domain controller
Simple exclusion of unused, disabled or locked-out accounts
Supports a rollback facility of specific migrated objects
For more details on the NDS Migrator tool available from Quest Software, visit the Directory Services to Active Directory Web page21.
The information provided here on Quest Software tools is neither a recommendation nor an endorsement a healthcare organisation. If a healthcare organisation wishes to consider these tools for
their Active Directory migration project, careful assessment, planning and testing of the migration must still
Migrate Novell Directory Services to Active Directory {R21}: http://www.quest.com/nds-migrator
Prepared by Microsoft
Page 26
es a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require a healthcare
ing between
Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or
For more details on the NDS Migrator tool available from Quest Software, visit the Migrate Novell
The information provided here on Quest Software tools is neither a recommendation nor an endorsement wishes to consider these tools for
eful assessment, planning and testing of the migration must still
Active DirectoryVersion 1.0.0.0
6 DEVELOP
During the Develop phase, the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the stabilisation phase.
Figure 9 acts as a high-level checklist, illustrating the sequence of events IT Architect need to determine when planning for organisation.
This section is split into two distinct areas, each focusing on the the old environment.
Figure 9: Sequence for Developing an Active Directory Migration
If migrating from a Windows NT Server 4.0 or Active Directoryfrom a NetWare environment, see section
Recommendation
The steps, scripts and processes provided in this section should be thoroughly tested before any large-scale live migrations are performed
6.1 Windows NT 4.0As detailed within the Plan phaseor Active Directory domain migration. current and new environments, completing installing the tools needed for a migration to take place.
6.1.1 ADMT Prerequisites
There are a number of prerequisites for the migra
� Installation of high encryption
� Creating trust relationships
� Creating migration accounts
� Configuring domains for SID history migration
� Configure the target domain OU structure
Active Directory Migration Guide 1.0.0.0 Baseline
the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the
level checklist, illustrating the sequence of events that the IT Manager and IT Architect need to determine when planning for an Active Directory migration
t into two distinct areas, each focusing on the server operating systems
: Sequence for Developing an Active Directory Migration
If migrating from a Windows NT Server 4.0 or Active Directory domain, see section NetWare environment, see section 6.2.
The steps, scripts and processes provided in this section should be thoroughly tested before any scale live migrations are performed, to ensure they work as expected.
.0 Domain or Active Directory Migrationlan phase (section 5), the ADMT can be used for either
or Active Directory domain migration. This section provides the information required to prepare both current and new environments, completing the configuration necessary for password migration and
for a migration to take place.
equisites
There are a number of prerequisites for the migration of accounts and resources
ncryption software
elationships
Creating migration accounts
Configuring domains for SID history migration
Configure the target domain OU structure
Prepared by Microsoft
Page 27
the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the
the IT Manager and an Active Directory migration within a healthcare
server operating systems in use in
domain, see section 6.1. If migrating
The steps, scripts and processes provided in this section should be thoroughly tested before any
Domain or Active Directory Migration , the ADMT can be used for either a Windows NT 4.0
rmation required to prepare both configuration necessary for password migration and
tion of accounts and resources:
Active DirectoryVersion 1.0.0.0
6.1.1.1 Installation of High Encryption Softwar
High encryption software is required to enable the migration of passwords using the PES service from either a Windows NT Server details of the download locations
The instructions in Table 5 relate to the installation Pack on a Windows 2000 Server4.0 Server.
Step Description
1. On the Windows 2000 Server,
run the downloaded file
Encpack_Win2000_En.exe and
click Yes in the Microsoft
Windows 2000 High Encryption
(128-bit) Capability dialog box to
start the installation.
2. Read the license agreement, and
if applicable, click Yes to accept.
3. Once the files have finished
copying, click Yes to restart the
computer, or No if the computer
is to be restarted later.
Table 5: Microsoft Windows 2000 High Encryption Pack
6.1.1.2 Creating Trust Relationships
Trust relationships need to be
The following instructions in Table a Windows NT 4.0 domain and a new Windows Server 2003 Active Directory environment. instructions require that a name resolution mechanism is in placedomain can communicate with the Active Directory domain. a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory environment, the steps outlined below only differ slightly and as such can be used as a reference.
Active Directory Migration Guide 1.0.0.0 Baseline
Installation of High Encryption Software
is required to enable the migration of passwords using the PES service Server 4.0 or a Windows 2000 Server domain. Section
details of the download locations for the High Encryption Packs available.
relate to the installation of the Microsoft Windows 2000 High Encryption on a Windows 2000 Server, but can also be used as a guide for installation on a Windows NT
Screenshot
Windows 2000 High Encryption
dialog box to
Read the license agreement, and
to accept.
if the computer
: Microsoft Windows 2000 High Encryption Pack Installation
Creating Trust Relationships
Trust relationships need to be created between the source and target domains.
Table 6 provide the steps involved in creating a twoomain and a new Windows Server 2003 Active Directory environment.
a name resolution mechanism is in place, so that the Windows NT 4.0 domain can communicate with the Active Directory domain. If creating a trust relationship between a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory
steps outlined below only differ slightly and as such can be used as a reference.
Prepared by Microsoft
Page 28
is required to enable the migration of passwords using the PES service 4.0 or a Windows 2000 Server domain. Section 5.5.1.2 provides
of the Microsoft Windows 2000 High Encryption be used as a guide for installation on a Windows NT
rget domains.
the steps involved in creating a two-way trust between omain and a new Windows Server 2003 Active Directory environment. These
that the Windows NT 4.0 If creating a trust relationship between
a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory steps outlined below only differ slightly and as such can be used as a reference.
Active DirectoryVersion 1.0.0.0
Step Description
1. On the Windows NT Server 4.0
computer, click Start on the
taskbar and select Programs >
Administrative Tools
(Common) and open User
Manager for Domains.
Click the Policies menu and
select Trust Relationships.
2. In the Trust Relationships
dialog box, click Add next to the
Trusted Domains: box.
3. In the Add Trusted Domain
dialog box, enter the NetBIOS
name of the Windows Server
2003 Active Directory domain in
the Domain text box and the
password that will be used to
establish the trust in Password,
and click OK.
4. A User Manager for Domains
information message displays
stating the trust relationship could
not be verified. Click OK to
continue.
5. In the Trust Relationships
dialog box, click Add next to the
Trusting Domains: box.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
next to the
2003 Active Directory domain in
stating the trust relationship could
next to the
Prepared by Microsoft
Page 29
Active DirectoryVersion 1.0.0.0
Step Description
6. In the Add Trusting Domain
dialog box, enter the NetBIOS
name of the Windows Server
2003 Active Directory domain in
the Trusting Domain box. Enter
the password that will be used to
establish the trust in the Initial
Password field and the Confirm
Password field, and click OK.
7. In the Trust Relationships
dialog box, the Windows Server
2003 Active Directory domain will
be shown as both a Trusted and
Trusting Domain. Click Close.
8. On the Windows 2003 Server,
open Active Directory Domains
and Trusts located in Start >
Programs > Administrative
Tools.
Right-click the domain name in
the left pane and select
Properties.
9. In the domain Properties dialog
box, select the Trusts tab and
click New Trust.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
2003 Active Directory domain in
box. Enter
will be used to
Confirm
dialog box, the Windows Server
2003 Active Directory domain will
be shown as both a Trusted and
Active Directory Domains
dialog
Prepared by Microsoft
Page 30
Active DirectoryVersion 1.0.0.0
Step Description
10. The New Trust Wizard starts.
Click Next to continue.
11. Type the name of the Windows
NT 4.0 domain in the Name box
and click Next.
12. Click Two-way as the direction of
trust and click Next.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
box
as the direction of
Prepared by Microsoft
Page 31
Active DirectoryVersion 1.0.0.0
Step Description
13. Click Domain-wide
authentication for the outgoing
trust authentication level and click
Next.
14. In the Trust password and
Confirm trust password boxes,
type the password entered in
step 3 and click Next.
15. Click Next in the Trust Selections
Complete page.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
for the outgoing
trust authentication level and click
boxes,
in the Trust Selections
Prepared by Microsoft
Page 32
Active DirectoryVersion 1.0.0.0
Step Description
16. Click Next in the Trust Creation
Complete page.
17. Click Yes, confirm the outgoing
trust and click Next.
18. Click Yes, confirm the incoming
trust and type the administrative
credentials for the Windows NT
Server 4.0 domain in the User
name and Password boxes, then
click Next.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Yes, confirm the outgoing
incoming
and type the administrative
then
Prepared by Microsoft
Page 33
Active DirectoryVersion 1.0.0.0
Step Description
19. Once the trust relationships have
been confirmed, click Finish, to
complete the New Trust Wizard.
20. An Active Directory dialog box
will display stating security
identifier (SID) filtering is enabled.
Click OK to close the dialog box.
21. The newly-created trust
relationships will be shown in the
domain Properties dialog box.
Click OK to close.
Table 6: Creating Trust Relationships
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Once the trust relationships have
, to
dialog box
identifier (SID) filtering is enabled.
to close the dialog box.
in the
Prepared by Microsoft
Page 34
Active DirectoryVersion 1.0.0.0
6.1.1.3 Creating a Migration Account
When running the migration, aan IT administrator’s individual account. This of the migration is not granted migration. It also ensures that if the account is used in a script, an individuaare not shared.
Recommendation
A healthcare organisation should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in the source domain and made a member of the Administrators domain to allow the migration of
6.1.1.4 Configuring Domains for
To allow SID history migration, both the source and target domains require configfollowing configuration is required:
� A local group is created
� TCP/IP client support is enabled
� Auditing is enabled in the Windows Server 2003 Active Directory domain
� Auditing is enabled in the Windows NT 4.0 domain
Recommendation
While the configuration listed above can be manually run and sets them if not configuredADMT to automatically configure these items.
6.1.1.5 Configure the Target Domain O
Before the migration of objects can take place, the OU structure to be created. Detailed information the Group Policy for Healthcare
Recommendation
A healthcare organisation should review the recommendations for OUs provided within the for Healthcare Desktop Management create a structure that is easy to administer, yet meets the business and technical healthcare organisation.
6.1.2 Installing ADMT
The installation of ADMT is a simple process involving only a few steps, 7. The installation requires that recommended in section 5.5.1.1
Important
If ADMT v2 has been installed, Control Panel, otherwise the installation will fail. Any database created as part of a previous installation can be imported into ADMT during t
ADMT v3 cannot be installed
22 Group Policy for Healthcare Desktop Management http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Active Directory Migration Guide 1.0.0.0 Baseline
Migration Account
, a specific migration account should be created and used, individual account. This ensures that an IT administrator tasked with a portion granted permissions that would not normally be provided
It also ensures that if the account is used in a script, an individual’s account credentials
should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in
made a member of the Administrators domain local security allow the migration of SID history for user accounts and global groups.
Configuring Domains for Security Identifier History Migration
To allow SID history migration, both the source and target domains require configconfiguration is required:
is created in the Windows NT 4.0 domain to allow auditing
is enabled on the source domain PDC
enabled in the Windows Server 2003 Active Directory domain
enabled in the Windows NT 4.0 domain
While the configuration listed above can be manually set, ADMT checks for these options the first time it is and sets them if not configured. It is therefore recommended that healthcare organis
ADMT to automatically configure these items.
Configure the Target Domain Organisational Unit Structure
Before the migration of objects can take place, the OU structure that will house the objects needs Detailed information on OUs, specific to healthcare organisations
Healthcare Desktop Management22 document.
should review the recommendations for OUs provided within the Desktop Management {R22} document. This will help keep an OU design simple and
create a structure that is easy to administer, yet meets the business and technical requirements of the
Installing ADMT
The installation of ADMT is a simple process involving only a few steps, which requires that a Windows Server 2003 server has been built,
5.5.1.1, ADMT will use the default database installation.
been installed, this must first be removed using Add or Remove Programs from within the otherwise the installation will fail. Any database created as part of a previous installation
can be imported into ADMT during the installation.
installed on Windows Server 2003 64-bit.
Group Policy for Healthcare Desktop Management {R22}: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Prepared by Microsoft
Page 35
migration account should be created and used, rather than ensures that an IT administrator tasked with a portion
provided outside of the account credentials
should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in
l security group in the target
History Migration
To allow SID history migration, both the source and target domains require configuration. The
in the Windows NT 4.0 domain to allow auditing
enabled in the Windows Server 2003 Active Directory domain
, ADMT checks for these options the first time it is healthcare organisations allow
Structure
will house the objects needs healthcare organisations, is available within
should review the recommendations for OUs provided within the Group Policy This will help keep an OU design simple and
requirements of the
which are detailed in Table and as
, ADMT will use the default database installation.
must first be removed using Add or Remove Programs from within the otherwise the installation will fail. Any database created as part of a previous installation
Active DirectoryVersion 1.0.0.0
Step Description
1. While logged onto the Windows Server
2003 server with administrative
credentials, run the downloaded
Admtsetup.exe file to start the Active
Directory Migration Tool Installation
Wizard.
Click Next on the Welcome page
2. Read the license agreement, and if
applicable, click I Agree and click
to continue.
3. The Microsoft SQL Server Desktop
Engine (WMSDE) will install.
Note
This will install even if using an
existing Microsoft SQL Server. If
choosing an existing SQL database,
ADMT will disable WMSDE.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
While logged onto the Windows Server
, run the downloaded
Active
Migration Tool Installation
page.
Read the license agreement, and if
and click Next
The Microsoft SQL Server Desktop
if using an
existing Microsoft SQL Server. If
choosing an existing SQL database,
Prepared by Microsoft
Page 36
Active DirectoryVersion 1.0.0.0
Step Description
4. As recommended in Section 5.5.1.1
click Use Microsoft SQL Server
Desktop Edition (Windows) and click
Next.
5. Click No, do not import data from an
ADMT v2 database (Default) and click
Next.
6. Click Finish to complete the
installation.
Table 7: Active Directory Migration Tool Installation
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
5.5.1.1,
Use Microsoft SQL Server
and click
No, do not import data from an
and click
Installation
Prepared by Microsoft
Page 37
Active DirectoryVersion 1.0.0.0
6.1.3 Enabling Password Migration
To allow the migration of passwords, the PES service requires configuration in the source domain. As part of this process, an encryption key is required, which is created within the target domain using ADMT.
To create an encryption key, at thethe following:
C:> admt key /option:create /sourcedomain:/keypassword:*
Where:
� <DomainName> is the name of the source domain
� <KeyFilePath> is the full path including file name of the encryption key to be created
This encryption key file needs to share, to the domain controller in the source domain where the PES service will be installed.
Step Description
1. Log on to the Windows Server 2003
server in the target domain.
Open a Command Prompt window
type the command to create the
encryption key file.
When prompted, type the password
and type it again to confirm.
2. Log on to the Windows NT 4.0
domain controller in the source
domain.
Run the Pwdmig.msi file in the default
folder location of
%systemroot%\Windows\ADMT\
on the Windows Server 2003 server
where ADMT in installed. The ADMT
Password Migration DLL Setup
installation wizard starts.
Click Next to continue.
Note
The Pwdmig.msi file can be run in
two ways:
� Connect to the hidden drive
share and run the file.
� Copy the PES folder and run the
file locally on the Windows NT
Server 4.0 computer.
Active Directory Migration Guide 1.0.0.0 Baseline
Enabling Password Migration
To allow the migration of passwords, the PES service requires configuration in the source domain. process, an encryption key is required, which is created within the target domain
at the command prompt on the server where ADMT is installed
admt key /option:create /sourcedomain:<DomainName> /keyfile:<KeyFilePath
is the name of the source domain
is the full path including file name of the encryption key to be created
needs to then be made available, either on a removable disk or network to the domain controller in the source domain where the PES service will be installed.
Screenshot
Windows Server 2003
window and
type the command to create the
assword,
in the source
file in the default
\PES
on the Windows Server 2003 server
ADMT
e run in
Connect to the hidden drive
Copy the PES folder and run the
file locally on the Windows NT
Prepared by Microsoft
Page 38
To allow the migration of passwords, the PES service requires configuration in the source domain. process, an encryption key is required, which is created within the target domain
command prompt on the server where ADMT is installed, type
KeyFilePath>
is the full path including file name of the encryption key to be created
either on a removable disk or network to the domain controller in the source domain where the PES service will be installed.
Active DirectoryVersion 1.0.0.0
Step Description
3. Click Browse and locate the
encryption key file created in step 1,
and click Next.
4. Type the password supplied during the
creation of the encryption key file in
step 1 into the Password and Confirm
text boxes.
Click Next to continue.
5. Click Next to start the installation.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
encryption key file created in step 1,
Type the password supplied during the
creation of the encryption key file in
Confirm
to start the installation.
Prepared by Microsoft
Page 39
Active DirectoryVersion 1.0.0.0
Step Description
6. Provide the migration account details
using the domain\username format
the Log on as text box and type
password for this account in the
Password and Confirm password
text boxes.
Click OK to continue.
7. Click OK to close the information
message box.
8. Click Finish to exit the installation
wizard.
9. Click Yes in the Installer Information
dialog box to restart the server to
complete the installation of the PES
service, or click No to restart the
computer later.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Provide the migration account details
username format in
e the
password for this account in the
Confirm password
the information
to exit the installation
Installer Information
dialog box to restart the server to
complete the installation of the PES
to restart the
Prepared by Microsoft
Page 40
Active DirectoryVersion 1.0.0.0
Step Description
10. Once the Windows Server 2003
has restarted, log on with
administrative credentials and open the
Services window by clicking Start
Control Panel > Services.
The Password Export Server Service
is set to a Manual Startup mode.
Important
This service should only be started
when a password migration is about
to be carried out and should be
stopped once the password
migration is complete.
Table 8: Password Export Server installation
6.1.4 Configuring ADMT
Once ADMT has been installedcompleted to enable the migration of SID history. This can be accomplished by running a test migration, which will then prompt to automatically complete the6.1.1.4.
Important
This activity needs to be carried out while logged in using the migration account
Step Description
1. On the Windows Server 2003
computer, open the Active
Directory Migration Tool located
in Start > All Programs >
Administrative Tools.
Right-click Active Directory
Migration Tool and select Group
Account Migration Wizard.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Windows Server 2003 server
administrative credentials and open the
Start >
Password Export Server Service
is set to a Manual Startup mode.
This service should only be started
a password migration is about
should be
ADMT
been installed, the configuration of the source and target domains needs to be completed to enable the migration of SID history. This can be accomplished by running a test
which will then prompt to automatically complete the configuration items
be carried out while logged in using the migration account created in section
Screenshot
located
Group
Prepared by Microsoft
Page 41
the configuration of the source and target domains needs to be completed to enable the migration of SID history. This can be accomplished by running a test
items listed in section
created in section 6.1.1.3.
Active DirectoryVersion 1.0.0.0
Step Description
2. In the Group Account Migration
Wizard, click Next to continue.
3. In the Domain Selection page,
select the Domain and Domain
Controller for the Source.
In the Target section, select the
target Domain and Domain
Controller.
Click Next to continue.
4. Click Select groups from
domain, and click Next.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Domain
Prepared by Microsoft
Page 42
Active DirectoryVersion 1.0.0.0
Step Description
5. In the Group Selection page, click
Add and select some test groups
to migrate from the source domain.
It is not important which groups are
chosen, as this process is for the
configuration to take place, not the
actual migration.
Click Next to continue.
6. In the Organizational Unit
Selection page, enter the OU to be
used as the target for the migrated
groups in Target OU, or click
Browse to locate and select the
required OU.
Click Next to continue.
7. In the Group Options page, clear
the Fix membership of group
check box and select Migrate
group SIDs to target domain, as
shown in the screenshot.
Click Next to continue.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
, click
and select some test groups
to migrate from the source domain.
It is not important which groups are
as this process is for the
configuration to take place, not the
page, enter the OU to be
used as the target for the migrated
to locate and select the
clear
, as
Prepared by Microsoft
Page 43
Active DirectoryVersion 1.0.0.0
Step Description
8. At this point, ADMT will check for
the appropriate configuration
options necessary and offer to
enable them, if required.
Click Yes to enable auditing on the
source domain.
9. Click Yes to enable auditing on the
target domain.
10. Click Yes to create the local group.
11. Click Yes to add the
TcpipClientSupport registry key.
12. Click Yes to reboot the source
domain PDC.
13. Once the source domain PDC has
restarted, click OK to continue.
14. In the User Account page, supply
the credentials for the migration
account (the creation of which was
recommended in section 6.1.1.3
and click Next.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
ADMT will check for
on the
to enable auditing on the
to create the local group.
Once the source domain PDC has
, supply
migration
was
),
Prepared by Microsoft
Page 44
Active DirectoryVersion 1.0.0.0
Step Description
15. In the Conflict Management page
ensure Do not migrate source
object if a conflict is detected in
the target domain is selected and
click Next.
16. Click Finish to complete the
wizard and initiate the migration of
the groups added in step 5.
17. The Migration Progress dialog
box displays. Click View Log, if
required, and click Close to
complete the configuration of
ADMT.
Table 9: Active Directory Migration Tool Configuration
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
page,
object if a conflict is detected in
is selected and
wizard and initiate the migration of
dialog
: Active Directory Migration Tool Configuration
Prepared by Microsoft
Page 45
Active DirectoryVersion 1.0.0.0
Once the steps above have been completed, the configuration of ADMT checking that:
� A local group has been created in the source domain named <DomainName> is the name of the source domain.
� The TcpipClientSupport registry PDC in the HKEY_LOCAL_MACHINEthe value is set to 1.
� Auditing has been enabled for account management in both the source and target domains.
Information
Auditing can be verified on a Windows NT Server 4.0 computer In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.
6.1.5 ADMT Option File and
The ADMT option file and include file were introduced in section healthcare organisation uses these two files when running ADMT from a cosection provides an example of both files and an example of command prompt to use them.
6.1.5.1 Option File
The option file provides the options options are available depending on the objects that are to be migrated, for example, users, groups, computers, and so on.
The text below is an example options file used to migrate user accounts from a server named ADMIG-NT4 in a test Windows NT 4.0 domain named NWindows Server 2003 Active Directory domain named named ADMIG-2K3-MS. The users would be migrated to an OU named Knowledge Based Users and have their passwords migrated using the PES s
[Migration]
IntraForest=No
SourceDomain="NT4DOMAIN"
SourceDomainController="ADMIG
;SourceOu="Source Organisational Unit Name"
TargetDomain="AD HealthOrg
TargetDomainController="ADMIG
TargetOu="LDAP://ad healthorgUsers,OU=Users,OU= Healthcare Organisation
PasswordOption=Complex
PasswordServer="ADMIG- NT4"
;PasswordFile="Password File Name"
ConflictOptions=Ignore
;UserPropertiesToExclude="Prop
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
;GroupPropertiesToExclude="Property1,Property2,Prop erty3"
;ComputerPropertiesToExclude="Property1,Property2,P roperty3"
Active Directory Migration Guide 1.0.0.0 Baseline
Once the steps above have been completed, the configuration of ADMT can be verified by
A local group has been created in the source domain named <DomainNameis the name of the source domain.
The TcpipClientSupport registry DWORD entry has been created on the source domain KEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Auditing has been enabled for account management in both the source and target domains.
Auditing can be verified on a Windows NT Server 4.0 computer through User Manager for Domains. In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.
Option File and Include File
ADMT option file and include file were introduced in section 5.5.1.1, recommending that uses these two files when running ADMT from a command line. This
section provides an example of both files and an example of the commands that can be run from a command prompt to use them.
The option file provides the options that will be used when running the ADMT command. Different depending on the objects that are to be migrated, for example, users, groups,
The text below is an example options file used to migrate user accounts from a server named NT4 in a test Windows NT 4.0 domain named NT4DOMAIN. The target domain
Windows Server 2003 Active Directory domain named ADHealthOrg, using a domain controller MS. The users would be migrated to an OU named Knowledge Based Users
and have their passwords migrated using the PES service installed on the ADMIG
SourceDomainController="ADMIG -NT4"
;SourceOu="Source Organisational Unit Name"
HealthOrg "
TargetDomainController="ADMIG -2K3-MS"
healthorg .contoso.com/OU=Knowledge Based Healthcare Organisation ,DC=adhealthorg,DC= contoso
NT4"
;PasswordFile="Password File Name"
;UserPropertiesToExclude="Prop erty1,Property2,Property3"
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
;GroupPropertiesToExclude="Property1,Property2,Prop erty3"
;ComputerPropertiesToExclude="Property1,Property2,P roperty3"
Prepared by Microsoft
Page 46
can be verified by
DomainName>$$$, where
on the source domain Control\LSA subkey, and
Auditing has been enabled for account management in both the source and target domains.
User Manager for Domains. In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.
, recommending that a mmand line. This
commands that can be run from a
will be used when running the ADMT command. Different depending on the objects that are to be migrated, for example, users, groups,
The text below is an example options file used to migrate user accounts from a server named . The target domain is a , using a domain controller
MS. The users would be migrated to an OU named Knowledge Based Users ervice installed on the ADMIG-NT4 server.
contoso ,DC=com"
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
Active DirectoryVersion 1.0.0.0
[User]
DisableOption=EnableTarget
SourceExpiration=None
MigrateSIDs=Yes
TranslateRoamingProfile=No
UpdateUserRights=No
MigrateGroups=No
UpdatePreviouslyMigratedObjects=No
FixGroupMembership=Yes
MigrateServiceAccounts=No
UpdateGroupRights=No
The example option file above has a Migration secGroup, Computer and Security can all be specified within the same option file. When run, depending upon the command given, migration it is running. For example, if running a user migration, the TranslateRegistry option for a computer will be ignored. For a full list of available options in an example option file, see APPENDIX B.
Note
The TargetOU line is wrapped onto the following line in this document but text file for use during the migration.
If a line begins with a semi-colon (;), ignores it and uses the default value for that option.
For details of the options available for use with ADMT, type the following
C:> admt /?
Further help can be displayed on the options for objects that can be migrated. For example, for a user, type the following at the command prompt
C:> admt user /?
The ‘user’ parameter can be substituted with to obtain specific help on the options for each of these objects.
Recommendation
The service, computer and security objects of an ADMT migration can all use the PreCheckOnly optionwithin the option file. Healthcare organisationsmigration will be successful or not before the actual migration takes place.
Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in troubleshooting, if issues occur.
Type the following at the command pro
C:> admt config logging /LogAttributes=Yes
Active Directory Migration Guide 1.0.0.0 Baseline
DisableOption=EnableTarget
TranslateRoamingProfile=No
UpdatePreviouslyMigratedObjects=No
MigrateServiceAccounts=No
The example option file above has a Migration section and a User section. Other sections such as Group, Computer and Security can all be specified within the same option file. When run, depending upon the command given, ADMT will determine which options are relevant for the
xample, if running a user migration, the TranslateRegistry option for a For a full list of available options in an example option file, see
The TargetOU line is wrapped onto the following line in this document but must not be when creating the text file for use during the migration.
colon (;), or an option has not been specified within the option file, ADMT and uses the default value for that option.
available for use with ADMT, type the following at the
d on the options for objects that can be migrated. For example, for a user, type the following at the command prompt:
parameter can be substituted with ‘group’, ‘computer’, ‘security’, ‘serviceoptions for each of these objects.
The service, computer and security objects of an ADMT migration can all use the PreCheckOnly optionealthcare organisations should use this to gather information about wh
migration will be successful or not before the actual migration takes place.
Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in issues occur.
command prompt to enable verbose logging:
admt config logging /LogAttributes=Yes
Prepared by Microsoft
Page 47
tion and a User section. Other sections such as Group, Computer and Security can all be specified within the same option file. When run,
will determine which options are relevant for the xample, if running a user migration, the TranslateRegistry option for a
For a full list of available options in an example option file, see
not be when creating the
r an option has not been specified within the option file, ADMT
at the command prompt:
d on the options for objects that can be migrated. For example, for a
service’ or ‘password’
The service, computer and security objects of an ADMT migration can all use the PreCheckOnly option should use this to gather information about whether the
Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in
Active DirectoryVersion 1.0.0.0
6.1.5.2 Include File
As with the option file, the contents of the include file depend upon but all objects follow the same basic syntaxinclude file used in the test migration above. This include file provides ADMT with the list of users to be migrated with the options file provided above
SourceName,TargetName
Jesper.Aaberg,Jesper.Aaberg
Lene.Aalling,Lene.Aal ling
Syed.Abbas,Syed.Abbas
Kim.Abercrombie,Kim.Abercrombie
Lina.Abola,Lina.Abola
Hazem.Abolrous,Hazem.Abolrous
Sam.Abolrous,Sam.Abolrous
Luka.Abrus,Luka.Abrus
Ahmad.Abu- Dayah,Ahmad.Abu
Humberto.Acevedo,Humberto.Acevedo
Gustavo.Achong,Gustavo.Achong
Pilar.Ackerman,Pilar.Ackerman
The first row (header row) contains the headings SourceName and TargetName separated by a comma. Beneath the header row, each subsequent row contains the name of the user account to be migrated, once for the source and once for
An include file can also be used to rename specifies a new target User Principal Name (UPN)
SourceName,TargetUPN
EAndersen,Elizabeth.Andersen
ErAndersen,Erik.Andersen @
HAndersen,Henriette.Andersen
MAndersen,Mary.Andersen@ contoso.com
TAndersen,Thomas.Andersen
NAnderson,Nancy.Anderson @
The target can also be the TargetRDNTargetSAM, which specifies the security accounts manager name for the object. All three options can be specified in the header row of
SourceName,TargetUPN,TargetSAM,TargetRDN
Important
The TargetName option in the include file cannot be used with the TargetUPN,
The TargetUPN option can only be used with user accounts.
The TargetRDN option can contain commas, but each comma must be preceded by a back slash (example, ‘CN=surname\, firstname
Active Directory Migration Guide 1.0.0.0 Baseline
file, the contents of the include file depend upon the objects but all objects follow the same basic syntax. The text below is the first few lines of an example include file used in the test migration above. This include file provides ADMT with the list of users to be migrated with the options file provided above:
Jesper.Aaberg,Jesper.Aaberg
ling
Kim.Abercrombie,Kim.Abercrombie
Hazem.Abolrous,Hazem.Abolrous
Sam.Abolrous,Sam.Abolrous
Dayah,Ahmad.Abu -Dayah
Humberto.Acevedo,Humberto.Acevedo
Gustavo.Achong,Gustavo.Achong
ilar.Ackerman,Pilar.Ackerman
The first row (header row) contains the headings SourceName and TargetName separated by a . Beneath the header row, each subsequent row contains the name of the user account to
be migrated, once for the source and once for the target.
An include file can also be used to rename the objects to be migrated. The example User Principal Name (UPN) for each user:
EAndersen,Elizabeth.Andersen @contoso.com
@contoso.com
HAndersen,Henriette.Andersen @contoso.com
contoso.com
TAndersen,Thomas.Andersen @contoso.com
@contoso.com
TargetRDN, which specifies the relative distinguished namewhich specifies the security accounts manager name for the object. All three options
the header row of a single include file, for example:
SourceName,TargetUPN,TargetSAM,TargetRDN
The TargetName option in the include file cannot be used with the TargetUPN, TargetSAM or TargetRDN.
The TargetUPN option can only be used with user accounts.
The TargetRDN option can contain commas, but each comma must be preceded by a back slash (, firstname’. The TargetRDN option must include the text ‘CN=
Prepared by Microsoft
Page 48
that are migrated, first few lines of an example
include file used in the test migration above. This include file provides ADMT with the list of users to
The first row (header row) contains the headings SourceName and TargetName separated by a . Beneath the header row, each subsequent row contains the name of the user account to
be migrated. The example below
which specifies the relative distinguished name, or which specifies the security accounts manager name for the object. All three options
TargetSAM or TargetRDN.
The TargetRDN option can contain commas, but each comma must be preceded by a back slash (\). For CN=’.
Active DirectoryVersion 1.0.0.0
6.1.5.3 ADMT Command Line
If both an option file and an include file are created that contain both the objects to be migrated and how they should be migrated, ADMT can be run from a command
The example below uses an option file named OPTIONS.TXT and an include file nameUSERS.TXT to migrate a set of users
C:> admt user /O:OPTIONS.TXT /F:USERS.TXT
Note
If the location of the option file or include file is not in the current specified. If the path name contains spaces, enclose the full path and file name in double quotation marks (“).
6.2 Novell NetWare MigrationThis section focuses on migratDirectory environment using SfN. It covers the tasks to complete to prepare the environments the installation of the tools and synchronisation of objects using MSDSS.
6.2.1 Microsoft SfN Prerequi
There are two prerequisites for the migration of accounts and resources when using
� Permissions given to the credentials to be used to change the schema for both the Microsoft and Novell environment
� Installation of the Novell Client for Windows
6.2.1.1 Creating a Migration Account
When running the migration, a migration account should be created and used, rather than an IT administrator’s individual accountmigration is not granted permisalso ensures that if the account is used in a script, an individual’s account credentials are not shared.
The installation of SfN will attempt to extend the Active Directory schema andcredentials are required.
Recommendation
A healthcare organisation should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the follgroups:
� Domain Admins
� Enterprise Admins
� Schema Admins
Important
Due to the permissions gained through these a member, it is important to ensure that complete, the migration account
Active Directory Migration Guide 1.0.0.0 Baseline
ADMT Command Line
If both an option file and an include file are created that contain both the objects to be migrated and , ADMT can be run from a command prompt to start the migration.
The example below uses an option file named OPTIONS.TXT and an include file nameto migrate a set of users:
/O:OPTIONS.TXT /F:USERS.TXT
on file or include file is not in the current working directory, the full path should be specified. If the path name contains spaces, enclose the full path and file name in double quotation marks
NetWare Migration This section focuses on migrating from a NetWare environment to a Windows Server 2003 Active Directory environment using SfN. It covers the tasks to complete to prepare the environments the installation of the tools and synchronisation of objects using MSDSS.
Microsoft SfN Prerequisites
There are two prerequisites for the migration of accounts and resources when using
Permissions given to the credentials to be used to change the schema for both the Microsoft and Novell environment
the Novell Client for Windows
reating a Migration Account
When running the migration, a migration account should be created and used, rather than an IT administrator’s individual account. This ensures that an IT administrator tasked with a portion of the
permissions that would not normally be provided outside of the migration. It also ensures that if the account is used in a script, an individual’s account credentials are not
The installation of SfN will attempt to extend the Active Directory schema and, as such
should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the foll
permissions gained through these security groups, of which the migration account will be made a member, it is important to ensure that auditing is carried out on this account. Also, once the migration is complete, the migration account must be removed from these security groups.
Prepared by Microsoft
Page 49
If both an option file and an include file are created that contain both the objects to be migrated and to start the migration.
The example below uses an option file named OPTIONS.TXT and an include file named
the full path should be specified. If the path name contains spaces, enclose the full path and file name in double quotation marks
ing from a NetWare environment to a Windows Server 2003 Active Directory environment using SfN. It covers the tasks to complete to prepare the environments for
There are two prerequisites for the migration of accounts and resources when using SfN:
Permissions given to the credentials to be used to change the schema for both the
When running the migration, a migration account should be created and used, rather than an IT . This ensures that an IT administrator tasked with a portion of the
outside of the migration. It also ensures that if the account is used in a script, an individual’s account credentials are not
as such, appropriate
should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the following security
the migration account will be made auditing is carried out on this account. Also, once the migration is
Active DirectoryVersion 1.0.0.0
6.2.1.2 Installing the Novell Client for Windows
The steps in Table 10 provide the details needed to install Windows Server 2003 Active Directory domain controller.in use in the NetWare environmentenvironment is using it.
Note
At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be downloaded from the Novell Downloads Web page
Step Description
1. Log on to the Windows Server 2003
domain controller using the migration
account.
Run Novell Client 4.91 SP4
English.exe to extract the necessary
files to install the software.
Once extracted, run the Setupnw
located, by default, in C:\Novell\Novell
Client 4.91 SP4 English.
Read the license agreement, and if
applicable, click Yes to continue.
2. Click Custom Installation and click
Next.
23 Novell Downloads {R20}: http://download.novell.com/index.jsp
Active Directory Migration Guide 1.0.0.0 Baseline
Installing the Novell Client for Windows
provide the details needed to install the Novell Client for WindowsWindows Server 2003 Active Directory domain controller. The installation steps assume that IPX is in use in the NetWare environment. The IPX protocol should only be installed if the NetWare
At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be downloaded from the Novell Downloads Web page23.
Screenshot
to the Windows Server 2003
domain controller using the migration
to extract the necessary
Setupnw.exe
Novell
Read the license agreement, and if
to continue.
and click
http://download.novell.com/index.jsp
Prepared by Microsoft
Page 50
the Novell Client for Windows on a The installation steps assume that IPX is
rotocol should only be installed if the NetWare
At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be
Active DirectoryVersion 1.0.0.0
Step Description
3. Ensure Novell Client for Windows
(Required) is selected. Click Next
continue.
4. Clear any additional products that
selected and click Next.
5. Click IP and IPX and click Next.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Novell Client for Windows
Next to
that are
Prepared by Microsoft
Page 51
Active DirectoryVersion 1.0.0.0
Step Description
6. Click NDS (NetWare 4.x or later)
click Next.
Note
If migrating from a NetWare 3.x
environment, click Bindery
(NetWare 3.x).
7. Click Finish to complete the
installation options and start the file
copy process.
8. Once the installation is complete, the
Windows Server 2003 domain
controller needs to be restarted.
Click Reboot to restart the server.
Table 10: Novell Client for Windows Installation
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
NDS (NetWare 4.x or later) and
If migrating from a NetWare 3.x
installation options and start the file
Once the installation is complete, the
to restart the server.
nstallation
Prepared by Microsoft
Page 52
Active DirectoryVersion 1.0.0.0
6.2.2 Installing Microsoft S
This section focuses on the installation of been downloaded from Microsoft Services for Netware 5.03 SP2 and FPNWWeb site.
Step Description
1. On the Windows Server 2003
computer, run the downloaded SFN
5.03 SP2.MSI file and when the
Microsoft Services for NetWare
(version 5.03) Setup wizard displays
click Next to continue.
2. Read the license agreement, and if
applicable, click I accept the terms in
the License Agreement and click
Next to continue
24 Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d
Active Directory Migration Guide 1.0.0.0 Baseline
Installing Microsoft Services for Netware
This section focuses on the installation of SfN and the instructions below assume SfN has already Microsoft Services for Netware 5.03 SP2 and FPNW24 on the
Screenshot
SFN
file and when the
Microsoft Services for NetWare
displays,
license agreement, and if
I accept the terms in
click
Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}: http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en
Prepared by Microsoft
Page 53
SfN and the instructions below assume SfN has already on the Microsoft
82a6a3af4be8&DisplayLang=en
Active DirectoryVersion 1.0.0.0
Step Description
3. Type a User Name and Organiz
into the relevant boxes and click
Note
The user name specified here is for
personalising the software
installation and therefore does not
need to be a valid domain account.
4. Click Custom setup type and click
Next.
5. In the Custom Setup page, all features
will be installed by default. Click
to continue.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Organization
and click Next.
The user name specified here is for
installation and therefore does not
need to be a valid domain account.
setup type and click
all features
lick Next
Prepared by Microsoft
Page 54
Active DirectoryVersion 1.0.0.0
Step Description
6. Click Next to begin the installation.
7. Click OK to allow the setup process to
extend the Active Directory schema.
8. Click Finish to exit the wizard.
9. Click Yes to restart the server and
complete the installation, or click
restart the computer later.
Table 11: Microsoft Services for NetWare Installation
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
to begin the installation.
to allow the setup process to
extend the Active Directory schema.
to restart the server and
click No to
Installation
Prepared by Microsoft
Page 55
Active DirectoryVersion 1.0.0.0
6.2.3 Directory Synchronisation
Once the Novell Client for Windows and SfN hacan take place. This is initiated througrecommended in section 5.5.2.2synchronisation. This is detailed in the steps
The steps provided below will synchronise an Active Directory domain. If synchronise are similar and, therefore,
These steps can be used as a reference for configuring multiple synchronisations for varying objects in the old environment. Once all the objects environments, the NDS or Bindery servers can be decommissioned because Active Directory takeover the provision of user access to the required resources
Step Description
1. On the Windows Server 2003
computer, select Start > All
Programs > Administrative
Tools > Directory
Synchronization to open
MSDSS.
Right-click MSDSS
(<DomainName>) and select
New Session.
2. The New Session Wizard starts.
Click Next to continue.
Active Directory Migration Guide 1.0.0.0 Baseline
Directory Synchronisation Using MSDSS
Once the Novell Client for Windows and SfN have been installed, an initial reverse synchronisation This is initiated through the creation of a one-way synchronisation, as
5.5.2.2, and selecting the option to perform an initial reverse iled in the steps provided in Table 12.
The steps provided below will synchronise a set of users from a Netware 6.5 NDS environment to an Active Directory domain. If using other NetWare versions, such as 4.x, 5.x or 6.x, the steps
therefore, Table 12 can be used as a reference.
ed as a reference for configuring multiple synchronisations for varying objects in the old environment. Once all the objects have been synchronised between the two
the NDS or Bindery servers can be decommissioned because Active Directory takeover the provision of user access to the required resources.
Screenshot
The New Session Wizard starts.
Prepared by Microsoft
Page 56
been installed, an initial reverse synchronisation way synchronisation, as
, and selecting the option to perform an initial reverse
users from a Netware 6.5 NDS environment to such as 4.x, 5.x or 6.x, the steps to
ed as a reference for configuring multiple synchronisations for varying between the two
the NDS or Bindery servers can be decommissioned because Active Directory takes
Active DirectoryVersion 1.0.0.0
Step Description
3. Choose Novell Directory
Services (NDS) from the Select
NDS or Bindery drop-down and
click One-way synchronization
(from Active Directory to NDS
or Bindery).
Click Next to continue.
4. Type the name of the Active
Directory container in the
relevant text box, or click Browse
to locate and select the container
Ensure the Domain Controller
box is populated with the server
name currently in use.
Click Next to continue.
5. Type the name of the NDS
container in the relevant text box
or click Browse to locate and
select the container.
Type the User name and
Password of the Novell
administrator account to be used
for the synchronisation in the
relevant boxes.
Click Next to continue.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
Select
down and
way synchronization
(from Active Directory to NDS
Browse
the container.
the server
relevant text box,
administrator account to be used
Prepared by Microsoft
Page 57
Active DirectoryVersion 1.0.0.0
Step Description
6. In the Initial Reverse
Synchronization page, ensure the
Run this session when I close
this wizard check box is selected
and click Perform an initial
reverse synchronization.
Click Password Options.
7. The Password Synchronization
Options dialog box displays.
By default, the Set passwords to
a random value option is
selected. Click OK to continue.
Click Next when the Initial
Reverse Synchronization screen
displays again.
8. In the Object Mapping Scheme
page, click Default in the Object
Mapping section and click Next.
Note
If the synchronised objects will
reside in directory structures
that are not identical, the
Custom Object Mapping option
must be selected and an Object
Mapping Table needs to be
used to map Active Directory
objects to corresponding NDS
objects.
Filters can also be used to
exclude specific objects such
as administrative accounts
when synchronising between
environments.
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
, ensure the
Run this session when I close
selected
Password Synchronization
Set passwords to
screen
Object
objects will
Object Mapping option
and an Object
NDS
such
Prepared by Microsoft
Page 58
Active DirectoryVersion 1.0.0.0
Step Description
9. To identify this synchronisation
session in the MSDSS window,
type a Session Name, or accept
the default name, and click Next
10. Click Finish to complete the
wizard and start the
synchronisation.
11. The Synchronize dialog box
opens and displays the progress
of the synchronisation. Click OK
close the dialog box.
Note
To open the MSDSS Event
Viewer, click the View Logs
button.
Table 12: Directory Synchronisation Using MSDSS
Active Directory Migration Guide 1.0.0.0 Baseline
Screenshot
or accept
Next.
the progress
to
: Directory Synchronisation Using MSDSS
Prepared by Microsoft
Page 59
Active DirectoryVersion 1.0.0.0
Once the synchronisation session has been created, it is displayed in the MSDSS window. The session can then be managed
� View Logs – Opens the MSDSS Event viewer
� Clone Session – Runs the New Session Wizard and prethose used in the selected session
� Synchronize Changes
� Update Status – Refreshes the status shown in the MSDSS window
� Disable Session – Pauses the synchronisation
� Properties – Displayscredentials used, level of detail logged, and password options
6.2.4 Password Synchronisation
As part of the synchronisation session created using the New Session Wizard, a dialog box is provided to choose how passwords Directory. During the steps detailed in section was selected.
Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file be opened using Notepad by members olocation is written to the MSDSS event log, with an event identification of 0 (zero).shown in Figure 10 provides the name and path of the file containing users and their password
Figure 10: MSDSS Event Properties Displaying Password File Location
Once the initial reverse synchronisation has completed, all users logging ontdomain for the first time must change their passwords. When a password change occurs in Active Directory, MSDSS initiates a forward synchronisation.
Any password changes made within Active Directory overwrite the existing NDS passworpassword is changed in NDS, user to have to enter two different passwordsenvironments. If this occurs, the user can initiate rectify the situation.
Active Directory Migration Guide 1.0.0.0 Baseline
Once the synchronisation session has been created, it is displayed in the MSDSS window. The be managed. Right-click the session name to select a number of tasks such as
pens the MSDSS Event viewer
uns the New Session Wizard and pre-populates the field values with those used in the selected session
Synchronize Changes - Forward – Forces a forward synchronisation
efreshes the status shown in the MSDSS window
auses the synchronisation of objects within the selected session
Displays the session properties, such as synchronisation schedule, Novell credentials used, level of detail logged, and password options
Password Synchronisation Using MSDSS
As part of the synchronisation session created using the New Session Wizard, a dialog box is w passwords will be handled when users are first synchronised to Active
detailed in section 6.2.3, the Set passwords to a random value
Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file
by members of the Administrators and MSDSS Admins group. The file is written to the MSDSS event log, with an event identification of 0 (zero).
provides the name and path of the file containing users and their password
Displaying Password File Location
Once the initial reverse synchronisation has completed, all users logging onto the Active Directory domain for the first time must change their passwords. When a password change occurs in Active Directory, MSDSS initiates a forward synchronisation.
Any password changes made within Active Directory overwrite the existing NDS passworpassword is changed in NDS, it is not synchronised to Active Directory and will therefore cause the user to have to enter two different passwords when trying to access resources on the different
. If this occurs, the user can initiate a password change within Active Directory
Prepared by Microsoft
Page 60
Once the synchronisation session has been created, it is displayed in the MSDSS window. The the session name to select a number of tasks such as:
populates the field values with
the selected session
such as synchronisation schedule, Novell
As part of the synchronisation session created using the New Session Wizard, a dialog box is synchronised to Active
et passwords to a random value option
Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file that can
f the Administrators and MSDSS Admins group. The file is written to the MSDSS event log, with an event identification of 0 (zero). The dialog box
provides the name and path of the file containing users and their passwords:
o the Active Directory domain for the first time must change their passwords. When a password change occurs in Active
Any password changes made within Active Directory overwrite the existing NDS passwords. If a is not synchronised to Active Directory and will therefore cause the
when trying to access resources on the different a password change within Active Directory to
Active DirectoryVersion 1.0.0.0
7 STABILISE
The Stabilise phase involves testing the solution components whose features are complete, resolving and prioritising any issues that are found. Testing during this phase and operation of the solution components under realistic environmental conditions.
This involves testing and acceptance of
Figure 11 acts as a high-level checkresponsible for stabilising the Active Directory migration
Figure 11: Sequence for Stabilising an Active Directory Migration
7.1 Migration Test ProcessThe migration test process is the part of the Active Directory migration solution that the migration will be successful. It should also include the process of testing the rollbacto be implemented if issues are migration.
Also, the scripts and processes developed for the migration should be thoroughly tested before any large-scale live migrations are performed
7.1.1 Pilot
As part of the pilot, all aspects of the migration solution will be carried out on a selected number of users. These users will be expected to carry out their dayadditional responsibility of feeding back any issues regarding accessavailable prior to the migration.
The typical basic steps involved
� Identifying the pilot users, their computers and the data access
� Migrating or synchronisscripts
� Migrating computer accounts to Active Directory, including the removal of any Novell Client for Windows in a NetWare environment
� Migrating data and other resources that are part of the migration with other production environment users.and server-based applications
During the pilot, focus on the following areas:
� Check that all the users and their permissions to files and folders were migrated as expected
Active Directory Migration Guide 1.0.0.0 Baseline
phase involves testing the solution components whose features are complete, resolving and prioritising any issues that are found. Testing during this phase emphasises usage and operation of the solution components under realistic environmental conditions.
involves testing and acceptance of the Active Directory migration solution.
level checklist, illustrating the critical components that Active Directory migration needs to determine.
ing an Active Directory Migration
Test Process The migration test process is the part of the Active Directory migration solution
the migration will be successful. It should also include the process of testing the rollbacare encountered that are deemed too serious to continue with the
Also, the scripts and processes developed for the migration should be thoroughly tested before any scale live migrations are performed, to ensure they work as expected.
all aspects of the migration solution will be carried out on a selected number of . These users will be expected to carry out their day-to-day activities as normal
additional responsibility of feeding back any issues regarding access to resources that were available prior to the migration.
The typical basic steps involved in a pilot include:
Identifying the pilot users, their computers and the data to which they require continued
or synchronising these user accounts, including group membership and login
computer accounts to Active Directory, including the removal of any Novell Client for Windows in a NetWare environment
data and other resources that are part of the migration but that with other production environment users. This includes maintaining access to shared data
based applications for the pilot users
on the following areas:
Check that all the users and their permissions to files and folders were migrated as
Prepared by Microsoft
Page 61
phase involves testing the solution components whose features are complete, and emphasises usage
and operation of the solution components under realistic environmental conditions.
the Active Directory migration solution.
an IT professional
The migration test process is the part of the Active Directory migration solution that needs to verify the migration will be successful. It should also include the process of testing the rollback plan
are deemed too serious to continue with the
Also, the scripts and processes developed for the migration should be thoroughly tested before any
all aspects of the migration solution will be carried out on a selected number of day activities as normal, but with the
resources that were
they require continued
including group membership and login
computer accounts to Active Directory, including the removal of any Novell Client
but that do not interfere This includes maintaining access to shared data
Check that all the users and their permissions to files and folders were migrated as
Active DirectoryVersion 1.0.0.0
� Note the time taken to perform migration for the
� Note the network bandwidth used during migrationaffected
Once the pilot has been completednecessary.
7.2 Reviewing Log FilesWhether migrating from a Windows or Novell environment, log files are crucial censuring a successful migration. ADMT utilises log files stored in utilises the MSDSS Event Log
7.2.1 Microsoft Migration Logs
ADMT keeps a detailed log of Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT. Examine the migration log after a migration is complete to verify that all tasks were completed successfully.
Important
As it is important to complete the steps of the migration in migration log after each step, s
The log files can be viewed from within the ADMT console, or prompt using the task parameter.
7.2.2 Novell Migration Logs
The logs relating to MSDSS can be accessed through the MSDSS Event Viewer.MSDSS Event Viewer, right-click any item in the left pane of the MSDSS window and select Logs.
Figure 12 shows the events logged during a number of migration tasks
Figure 12: MSDSS Event Log
Active Directory Migration Guide 1.0.0.0 Baseline
Note the time taken to perform migration for the number of users taking part in the pilot
Note the network bandwidth used during migration and ensure that other live users are not
Once the pilot has been completed, document the findings and rework the migration processes as
Reviewing Log Files Whether migrating from a Windows or Novell environment, log files are crucial censuring a successful migration. ADMT utilises log files stored in the ADMT database
Log to provide feedback on the status of tasks being carried out.
Microsoft Migration Logs
ADMT keeps a detailed log of the actions that it performs when migrating resources between Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT.
ation log after a migration is complete to verify that all tasks were completed
As it is important to complete the steps of the migration in the order specified in this documentmigration log after each step, so that any failures discovered can be fixed.
can be viewed from within the ADMT console, or by running ADMT the task parameter.
Novell Migration Logs
The logs relating to MSDSS can be accessed through the MSDSS Event Viewer.click any item in the left pane of the MSDSS window and select
shows the events logged during a number of migration tasks:
Prepared by Microsoft
Page 62
of users taking part in the pilot
and ensure that other live users are not
document the findings and rework the migration processes as
Whether migrating from a Windows or Novell environment, log files are crucial components in the ADMT database while SfN
provide feedback on the status of tasks being carried out.
that it performs when migrating resources between Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT.
ation log after a migration is complete to verify that all tasks were completed
this document, check the
ADMT at the command
The logs relating to MSDSS can be accessed through the MSDSS Event Viewer. To open the click any item in the left pane of the MSDSS window and select View
Active DirectoryVersion 1.0.0.0
APPENDIX A The tables in this Appendix provide details of resources available. This list is not exhaustive; there are many thirdThe resources listed are those provided by Microsoft
PART I Microsoft Active Directory 2003For further information on Active Directory
Skill or Technology Area Resource Location
Active Directory Design, including
DNS design
http://technet2.microsoft.com/WindowsServer/en/Libr
ary/c283b699
865443d7ea4b1033.mspx
OU design As above
Table 13: Microsoft Active Directory 2003 Skills and Training Resources
PART II Active Directory MigrationFor further information on Active Directory migration, see us/interopmigration/bb380225.aspx
Skill or Technology Area Resource Location
Upgrading from Windows NT
Server 4.0 to Windows Server
2003
http://www.microsoft.com/windowsserver2003/upgra
ding/nt4/default.mspx
Upgrading from Windows 2000
Server to Windows Server 2003
http://www.microsoft.com/windowsserver2003/upgra
ding/w2k/default.mspx
Resources for Interoperability and
Migration of NetWare and
Windows
http://technet.microsoft.com/en
us/interopmigration/bb380216.aspx
Table 14: Active Directory Migration Skills and Training Resources
Active Directory Migration Guide 1.0.0.0 Baseline
SKILLS AND TRAINING RESOURCES
The tables in this Appendix provide details of the suggested training and skill assessment resources available. This list is not exhaustive; there are many third-party providers of such skills. The resources listed are those provided by Microsoft.
Microsoft Active Directory 2003 Active Directory, see http://www.microsoft.com/activedirectory
Resource Location Description
http://technet2.microsoft.com/WindowsServer/en/Libr
ary/c283b699-6124-4c3a-87ef-
865443d7ea4b1033.mspx
Links to sections on designing Active
Directory
As above As above
: Microsoft Active Directory 2003 Skills and Training Resources
Active Directory Migration For further information on Active Directory migration, see http://technet.microsoft.com/enus/interopmigration/bb380225.aspx
Resource Location Description
http://www.microsoft.com/windowsserver2003/upgra
ding/nt4/default.mspx
Links to various resources on migrating
from Windows NT 4.0
http://www.microsoft.com/windowsserver2003/upgra
ding/w2k/default.mspx
Links to various resources on migrating
from Windows 2000 Server Active
Directory
http://technet.microsoft.com/en-
us/interopmigration/bb380216.aspx
Links to various resources on
from Novell NetWare NDS or Bindery
: Active Directory Migration Skills and Training Resources
Prepared by Microsoft
Page 63
ESOURCES
the suggested training and skill assessment party providers of such skills.
http://www.microsoft.com/activedirectory
Description
Links to sections on designing Active
http://technet.microsoft.com/en-
Description
Links to various resources on migrating
from Windows NT 4.0
Links to various resources on migrating
from Windows 2000 Server Active
Links to various resources on migrating
from Novell NetWare NDS or Bindery
Active DirectoryVersion 1.0.0.0
APPENDIX B The text below represents an example option file including all the available options that can bspecified for the migration of users, groups, computers, security and service accounts
[Migration]
IntraForest=No
SourceDomain="NT4DOMAIN"
SourceDomainController="ADMIG
;SourceOu="Source Organisational Unit Name"
TargetDomain="ADANYTRUST"
TargetDomainController="ADMIG
TargetOu="LDAP://ad healthorgUsers,OU=Users,OU= Healthcare Organisation
PasswordOption=Complex
PasswordServer="ADMIG- NT4"
;PasswordFile="Password File Nam
ConflictOptions=Ignore
;UserPropertiesToExclude="Property1,Property2,Prope rty3"
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
;GroupPropertiesToExclude="Property1,Property2,Prop erty3"
;ComputerPropertiesToExclude="Property1,Property2
[User]
DisableOption=EnableTarget
SourceExpiration=None
MigrateSIDs=Yes
TranslateRoamingProfile=No
UpdateUserRights=No
MigrateGroups=No
UpdatePreviouslyMigratedObjects=No
FixGroupMembership=Yes
MigrateServiceAccounts=No
UpdateGroupRights=No
[Group]
UpdateGroupRights=No
FixGroupMembership=Yes
MigrateSIDs=Yes
MigrateMembers=No
UpdatePreviouslyMigratedObjects=No
DisableOption=EnableTarget
SourceExpiration=None
Active Directory Migration Guide 1.0.0.0 Baseline
ADMT SAMPLE OPTION FILE
The text below represents an example option file including all the available options that can bspecified for the migration of users, groups, computers, security and service accounts
SourceDomainController="ADMIG -NT4"
;SourceOu="Source Organisational Unit Name"
TargetDomain="ADANYTRUST"
TargetDomainController="ADMIG -2K3-MS"
healthorg .contoso.com/OU=Knowledge Based Healthcare Organisation ,DC=adhealthorg,DC= contoso
NT4"
;PasswordFile="Password File Nam e"
;UserPropertiesToExclude="Property1,Property2,Prope rty3"
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
;GroupPropertiesToExclude="Property1,Property2,Prop erty3"
;ComputerPropertiesToExclude="Property1,Property2 ,Property3"
DisableOption=EnableTarget
TranslateRoamingProfile=No
UpdatePreviouslyMigratedObjects=No
MigrateServiceAccounts=No
UpdatePreviouslyMigratedObjects=No
DisableOption=EnableTarget
Prepared by Microsoft
Page 64
ILE
The text below represents an example option file including all the available options that can be specified for the migration of users, groups, computers, security and service accounts.
contoso ,DC=com"
;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"
Active DirectoryVersion 1.0.0.0
[Computer]
PreCheckOnly=No
TranslationOption=Replace
TranslateFilesAndFolders=No
TranslateLocalGroups=No
TranslatePrinters=No
TranslateRegistry=No
TranslateShares=No
TranslateUserProfiles=No
TranslateUserRights=No
RestartDelay=5
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
AutoPostCheckRetry=No
AutoPostC heckRetryInterval=5
AutoPostCheckRetryNumber=2
[Security]
PreCheckOnly=No
TranslationOption=Replace
TranslateFilesAndFolders=No
TranslateLocalGroups=No
TranslatePrinters=No
TranslateRegistry=No
TranslateShares=No
TranslateUserProfiles=No
TranslateUserRights=No
SIDMappingFile=”SID Mapping File Path”
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
[Service]
PreCheckOnly=No
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
Active Directory Migration Guide 1.0.0.0 Baseline
TranslationOption=Replace
TranslateFilesAndFolders=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
heckRetryInterval=5
AutoPostCheckRetryNumber=2
TranslationOption=Replace
TranslateFilesAndFolders=No
SIDMappingFile=”SID Mapping File Path”
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
Prepared by Microsoft
Page 65
Active DirectoryVersion 1.0.0.0
APPENDIX C
PART I Terms and Abbreviations
Abbreviation Definition
ACL Access Control List
ADMT Active Directory Migration Tool
BDC Backup Domain Controller
CN Common Name
CSNW Client Service for NetWare
DNS Domain Name System
FMU File Migration Utility
FPNW File and Print Services for NetWare
GPO Group Policy object
IP Internet Protocol
IPX Internetwork Packet Exchange
IT Information Technology
LAN Local Area Network
MOF Microsoft Operations Framework
MSDSS Microsoft Directory Synchronisation Services
MSF Microsoft Solutions Framework
NAT Network Address Translation
NDS NetWare Directory Service
NTLM NT LAN Manager
OU Organisational Unit
PDC Primary Domain Controller
PES Password Export Server
RDN Relative Distinguished Name
SAM Security
SfN Service for NetWare
SID Security Identifier
SP Service Pack
TCP/IP Transport Core Protocol/Internet Protocol
UPN User Principal Name
WAN Wide Area Network
WMSDE Microsoft
Table 15: Terms and Abbreviations
Active Directory Migration Guide 1.0.0.0 Baseline
DOCUMENT INFORMATION
Terms and Abbreviations
Definition
Access Control List
Active Directory Migration Tool
Backup Domain Controller
Common Name
Client Service for NetWare
Domain Name System
File Migration Utility
File and Print Services for NetWare
Group Policy object
Internet Protocol
Internetwork Packet Exchange
Information Technology
Local Area Network
Microsoft Operations Framework
Microsoft Directory Synchronisation Services
Microsoft Solutions Framework
Network Address Translation
NetWare Directory Service
NT LAN Manager
Organisational Unit
Primary Domain Controller
Password Export Server
Relative Distinguished Name
Security Accounts Manager
Service for NetWare
Security Identifier
Service Pack
Transport Core Protocol/Internet Protocol
User Principal Name
Wide Area Network
Microsoft SQL Server 2000 Desktop Engine
Prepared by Microsoft
Page 66
Active DirectoryVersion 1.0.0.0
PART II References
Reference Document
R1. Active Directory Design Guide
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
R2. Microsoft Download Center:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b
fc886956790e&DisplayLang=en
R3. Microsoft TechNet: Microsoft Operations Framework
http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
R4. Microsoft Download Center:
http://www.microsoft.com/downloads/details
19544062A6E6&displaylang=en
R5. Microsoft TechNet: Windows Server TechCenter:
Services:
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315
8cae1b593eb11033.mspx
R6. Microsoft Download Center
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770
01E9F7EF7342&displaylang=en
R7. Microsoft Windows Server 2003 R2:
Migrating Novell NetWare to Windows Server 2003
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
R8. Microsoft Download Center:
NetWare to Windows Server 2003
http://go.microsoft.com/fwlink/?LinkID=46606
R9. Microsoft TechNet: Solution for Migrating File, Print, and Directory Services from Novell NetWare to
Windows Server 2003:
http://technet.microsoft.com/en
R10. Microsoft Windows Server 2003 R2:
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx
R11. Microsoft TechNet: Microsoft Windows Server TechCenter:
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab
7bfd130c21c01033.mspx?mfr=true
R12. Microsoft Download Center:
http://download.microsoft.com/download/4/5/2/452d431e
R13. Microsoft Download Center:
http://download.microsoft.com/download/2/e/5/2e57d536
a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc
R14. Microsoft TechNet: Microsoft Windows Server TechCenter:
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b
503439f6d1271033.mspx?mfr=true
R15. Microsoft Download Center:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b
aff85ad3d212&DisplayLang=en
R16. Microsoft Download Center: Windows 2000 High Encryption Pack (128
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0
9DCAB4DA1C63&displaylang=en
Active Directory Migration Guide 1.0.0.0 Baseline
References
Active Directory Design Guide:
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
Microsoft Download Center: Microsoft Solutions Framework Core Whitepapers:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-
fc886956790e&DisplayLang=en
Microsoft Operations Framework: MOF Executive Overview:
http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Microsoft Download Center: Migrating Windows NT Server 4.0 Domains to Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-
19544062A6E6&displaylang=en
Microsoft TechNet: Windows Server TechCenter: Designing and Deploying Directory and Security
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-
8cae1b593eb11033.mspx
Center: ADMT v3 Migration Guide:
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC
01E9F7EF7342&displaylang=en
rosoft Windows Server 2003 R2: NetWare to Windows Server 2003 Migration Planning Guide
Migrating Novell NetWare to Windows Server 2003 Microsoft Word document (SFNmig.doc):
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
Microsoft Download Center: Solution for Migrating File, Print, and Directory Services from Novell
NetWare to Windows Server 2003: Microsoft Word document:
http://go.microsoft.com/fwlink/?LinkID=46606
Solution for Migrating File, Print, and Directory Services from Novell NetWare to
http://technet.microsoft.com/en-gb/library/bb496964.aspx
Windows Server 2003 R2: Services for NetWare 5.03 White Paper:
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx
Microsoft TechNet: Microsoft Windows Server TechCenter: Using Run as:
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-
7bfd130c21c01033.mspx?mfr=true
nter: Print Migrator Tool 3.1:
http://download.microsoft.com/download/4/5/2/452d431e-5a5c-43bd-b398-6fc27208e001/printmig.exe
Microsoft Download Center: Microsoft Print Migrator 3.1:
http://download.microsoft.com/download/2/e/5/2e57d536-2bb5-40f1-b52d-
a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc
Microsoft TechNet: Microsoft Windows Server TechCenter: Client Service for NetWare:
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-
503439f6d1271033.mspx?mfr=true
Microsoft Download Center: Active Directory Migration Tool v3.0:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-
aff85ad3d212&DisplayLang=en
Center: Windows 2000 High Encryption Pack (128-bit):
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3
9DCAB4DA1C63&displaylang=en
Prepared by Microsoft
Page 67
Version
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
1.0.0.0
Domains to Windows Server 2003:
Deploying Directory and Security
-
NetWare to Windows Server 2003 Migration Planning Guide:
(SFNmig.doc):
Solution for Migrating File, Print, and Directory Services from Novell
Solution for Migrating File, Print, and Directory Services from Novell NetWare to
6fc27208e001/printmig.exe
B5C3-
Active DirectoryVersion 1.0.0.0
Reference Document
R17. Microsoft Download Center: Internet Explorer High Encryption Pack 4.0
http://go.microsoft.com/fwlink/?LinkId=76038
R18. Quest Software, Migration Tools for Active
http://www.quest.com/active
R19. Microsoft Download Center:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d
82a6a3af4be8&DisplayLang=en
R20. Novell Downloads: Novel
http://download.novell.com/index.jsp
R21. Quest Software, Migrate Novell Directory Services to Active Directory
http://www.quest.com/nds
R22. Group Policy for Healthcare
http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Table 16: References
Active Directory Migration Guide 1.0.0.0 Baseline
Microsoft Download Center: Internet Explorer High Encryption Pack 4.0:
http://go.microsoft.com/fwlink/?LinkId=76038
Quest Software, Migration Tools for Active Directory:
http://www.quest.com/active-directory/migration.aspx
Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-
82a6a3af4be8&DisplayLang=en
Novell Client for Windows:
http://download.novell.com/index.jsp
Quest Software, Migrate Novell Directory Services to Active Directory:
http://www.quest.com/nds-migrator
Healthcare Desktop Management:
http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Prepared by Microsoft
Page 68
Version
1.0.0.0
Top Related