[Link]

displaylang=en&id=13380 Microsoft Active Directory Topology Diagrammer

\[Link] Visio step by Step

[Link] Microsoft Assessment and Planning Toolkit

**************************************************

Audit and Assessment of Active Directory * Audit and Assessment of Windows Server * Audit and Assessment of Windows Workstations

[Link] Migration plan and check list [Link] Gantt chart [Link] 28WS.10%[Link] [Link]

Restructuring details limitations

Checklist: Performing an Interforest Migration

migration from windows 2003 to windows 2008 Checklist

The Windows Server 2003 patchlevel should be at least Service Pack 1 You can't upgrade across architectures (x86, x64 & Itanium) Standard Edition can be upgraded to both Standard and Enterprise Edition Enterprise Edition can be upgraded to Enterprise Edition only Datacenter Edition can be upgraded to Datacenter Edition only

This might be your preferred option when:

Your Active Directory Domain Controllers can still last three to five years (economically and technically) You worked hard to get your Active Directory in the shape it's in. Your servers are in tip-top shape.

Transitioning
Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window. Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

Restructuring means filling a new Active Directory from scratch In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

You need a chance to place your Active Directory files on different partitions/volumes. When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this useful piece of information.

You worked hard to get your Active Directory in the shape it's in. Your servers are faced with aging. In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)

Restructuring
A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Restructuring is good when:

Your current Active Directory environment is a mess or is uncontrolable You want to build a new Active Directory environment and import (pieces of) your existing Active Directory environment. You need to merge (information from)(domains from) two Active Directory forests together You need to split (information from)(domains from) two Active Directory forests

[Link]

Active Directory Planning Worksheets

Table 1: Business Needs Analysis (Q and A) Table 2: Business Requirements Analysis Table 3: Project Plan Table 4: Active Directory Design and Planning Team Table 5: Technical Requirements Analysis Table 6: Security Requirements Planning Table 7: Windows 2000 Server Network Infrastructure Planning Table 8: Active Directory Design and Planning Table 9: Windows NT 4.0 to Windows 2000 Migration Planning Table 1: Business Needs Analysis (Q and A) Question Answer Have you clearly defined the nature of the organizations business? Has the organization developed a clear sense of direction or mission? Does the organization have a clear philosophy for conducting its business affairs? Are the organizations business goals attainable? Are the organizations objectives logically related in a hierarchy that will lead to goal achievement? Does the organization periodically reevaluate its objectives to be sure they have not grown obsolete? Has the organization developed a logical and planned approach for collecting data on its internal and external environment? Are data stored of filed in ways that allow easy retrieval of useful information? Are reports produced that are seldom or never used? Does the organization periodically review its information system to make certain it is useful and up-to-date? List four or five key strengths of the organization. What are key weaknesses in the organization? In developing the organizations final strategy, did it consider three or four possible alternatives? Are employees involved in making planning decisions?

Table 1: Business Needs Analysis (Q and A) Question Answer Did management take time to communicate the final strategic plan to employees and deal with their concerns? Is the timetable for implementation of the strategic plan realistic? Have definite checkpoints been schedules for assessing progress toward goals? Has the organization developed effective ways of measuring progress?

Table 2: Business Requirements Analysis Analysis Item Sub-Analysis Item Analyze the existing and planned business models Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices. Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decisionmaking. Analyze the existing and planned organizational structures. Considerations include management model: company organization: vendor, partner, and customer relationships; and acquisition plans. Analyze factors that influence company strategies. Identify company priorities. Identify the projected growth and growth strategy. Identify relevant laws and regulations. Identify the companys tolerance for risk. Identify the total cost of operations Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management

Completed

Table 2: Business Requirements Analysis Analysis Item Sub-Analysis Item process. Analyze business and security requirements for the end user. Analyze the current physical model and information security model. Analyze internal and external security risks. Other Other Other

Completed

Table 3: Project Plan Phase A. AD Design Creation

Tasks

Duration / Assigned Resources / Comments

A.1. Namespace (DNS) Selection A.2. Namespace Design A.3. Domain Tree/Forest Architectural Development A.4. AD Domain Naming Conventions A.5. DNS Design A.6. DNS Interoperability Issues A.7. DNS Zones and Administrative Model Development A.8 OU Development and Design A.9. Group and User Design A.10. Security Design and Development A.11. Delegation of Authority Design A.12. AD/Windows 2000 Capacity Planning A.13. Design of Group Policies B Test Lab (Proof of Concept) B.1. Testing Server Functionality B.2. Core Service Testing (DNS, DHCP, WINS) B.3. Server Interoperability and Coexistence Testing B.4. Server Migration Testing B.5. Desktop Testing (Operating System, Applications) B.6. Network Infrastructure B.7. Hardware Infrastructure

Table 3: Project Plan Phase C. Production Pilot

Tasks

Duration / Assigned Resources / Comments

C.1. Launch Pilot Phase C.2. Pilot Planning Tasks C.3. Pilot Feedback D. Rollout D.1. Develop Implementation Plan D.2. Perform Work D.3. Troubleshooting D.4. Feedback Other Other Other

Table 4: Active Directory Design and Planning Team Team Member Role Comments Enterprise or AD Architect Corporate Standards Implementation Lead Deployment Site Lead Deployment Team Lead Help Desk Lead Networking Lead Services/Product/Technology Lead Developer Lead End User Lead Senior Management/Executive Representative Line Manager(s) Other Other Other

Table 5: Technical Requirements Analysis Analysis Item Sub-Analysis Item Completed Evaluate the companys existing and planned technical environment and goals Analyze company size and user and resource distribution Assess the available connectivity between the geographic location of worksites and remote sites Assess the net available bandwidth and latency issues Analyze performance, availability, and scalability requirements of services Analyze the method of accessing data and systems Analyze network roles and responsibilities. Roles include administrative, user, service, resource ownership, and application. Analyze security considerations Analyze the impact of Active Directory on the existing and planned technical environment Assess existing systems and applications Identify existing and planned upgrades and rollouts Analyze technical support structure Analyze existing and planned network and system management Analyze the business requirements for client computer desktop

Table 5: Technical Requirements Analysis Analysis Item Sub-Analysis Item management Analyze end-user work needs Identify technical support needs for end-users Establish the required client computer environment standards Analyze the existing disaster recovery strategy for client computers, servers, and the network Analyze the impact of infrastructure design on the existing and planned technical environment Assess current applications Analyze network infrastructure, protocols, and hosts Evaluate network services Analyze TCP/IP infrastructure Assess current hardware Identify existing and planned upgrades and rollouts Analyze technical support structure Analyze existing and planned network and systems management Other Other Other

Completed

Table 6: Security Requirements Planning Analysis Item Sub-Analysis Item Design a security baseline for a Windows 2000 network that includes domain controller, operations masters, application servers, file and print servers, RAS servers, desktop computers, portable computers, and kiosks Identify the required level of security for each resource. Resources include printers, files, shares, Internet access, and dial-in access Design an audit policy Design a delegation of authority policy Design the placement and inheritance of security policies for sites, domains, and organizational units Design an Encrypting File System strategy Design an authentication strategy Select authentication methods. Methods include certificate-base authentication, Kerberos authentication, clear-text passwords, digest authentication, smart cards, NTMLM, RADIUS, and SSL. Design an authentication strategy for integration with other systems Design a security group strategy Design a Public Key Infrastructure Design Certificate

Complete

Table 6: Security Requirements Planning Analysis Item Sub-Analysis Item Authority (CA) hierarchies Identify certificate server roles Certificate management plan Integrate with third-party CAs Map certificates Design Windows 2000 network services security Design Windows 2000 DNS security Design Windows 2000 Remote Installation Services (RIS) security Design Windows 2000 SNMP security Design Windows 2000 Terminal Services security Provide secure access to public networks from a private network Provide external users with secure access to private network resources Provide secure access between private networks Provide secure access within a LAN Provide secure access within a WAN Provide secure access across a public network Design Windows 2000 security for remote access users Design a Server-Messaging Block (SMB)-signing solution Design an IPSec solution Design an IPSec encryption scheme Design an IPSec management strategy

Complete

Table 6: Security Requirements Planning Analysis Item Sub-Analysis Item Design negotiation policies Design security policies Design IP filters Design security levels Other Other Other

Complete

Table 7: Windows 2000 Server Network Infrastructure Planning Analysis Item Sub-Analysis Item Completed Modify and design a network topology Design network services that support application architecture Design a resource strategy Plan for the placement and management of resources Plan for growth Plan for decentralized or centralized resources Design a TCP/IP networking strategy Analyze IP subnet requirements Design a TCP/IP addressing and implementation plan Measure and optimize a TCP/IP infrastructure design Integrate software routing into existing networs Integrate TCP/IP with existing WAN requirements Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS Design a DHCP strategy Integrate DHCP into a routed environment Integrate DHCP with Windows 2000 Design a DHCP service for remote locations Measure and optimize a DHCP infrastructure design Design name resolution services Create an integrated DNS design Create a secure DNS design Create a highly available

Table 7: Windows 2000 Server Network Infrastructure Planning Analysis Item Sub-Analysis Item Completed DNS design Measure and optimize a DNS infrastructure design Design a DNS deployment strategy Create a WINS design Create a secure WINS design Measure and optimize a WINS infrastructure design Design a WINS deployment strategy Design a multi-protocol strategy. Protocols include IPX/SPX and SNA Design a Distributed file system (Dfs) strategy Design the placement of a Dfs root Design a Dfs root replica strategy Designing for Internet Connectivity Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT, connection sharing, Web server, or mail server Design a load-balancing strategy Design an implementation strategy for dial-up remote access Design a remote access solution that uses Routing and Remote Access Integrate authentication with Remote Authentication Dial-In User Service (RADIUS)

Table 7: Windows 2000 Server Network Infrastructure Planning Analysis Item Sub-Analysis Item Completed Design a virtual private network (VPN) strategy Design a Routing and Remote Access routing solution to connect locations Design a demand-dial routing strategy Other Other Other

Table 8: Active Directory Design and Planning Analysis Item Sub-Analysis Item Completed Design an Active Directory forest and domain structure Design a forest and schema structure Design a domain structure Analyze and optimize trust relationships Design an Active Directory naming strategy Establish the scope of the Active Directory Design the namespace Plan DNS strategy Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Develop an OU delegation plan Plan Group Policy Object management Plan policy management for client computers Plan for the coexistence of Active Directory and other directory services Design an Active Directory site topology Design a replication strategy Define site boundaries Design a schema modification policy Design an Active Directory implementation plan Design the placement of operations masters Considerations include performance, fault

Table 8: Active Directory Design and Planning Analysis Item Sub-Analysis Item tolerance, functionality, and manageability Design the placement of Global Catalog Servers Considerations include performance, fault tolerance, functionality, and manageability Design the placement of domain controllers Considerations include performance, fault tolerance, functionality, and manageability Design the placement of DNS servers Considerations include performance, fault tolerance, functionality, and manageability Plan for interoperability with the existing DNS Other Other Other

Completed

Table 9: Windows NT 4.0 to Windows 2000 Migration Planning Analysis Item Sub-Analysis Item Completed Choose the type of migration. Types include upgrade, restructure Windows NT to Windows 2000, restructure Windows 2000 to Windows 2000, upgrade and restructure, inter-forest restructure, and intra-forest restructure Plan the domain restructure Select the domain to be restructured and decide on the proper order for restructuring them. Decide when incremental migrations are appropriate Implement organizational units (OUs) Select the appropriate tools for implementing the migration from Windows NT to Windows 2000. Tools include Active Directory Migration Tool (ADMT); ClonePrincipal and NETDOM (for interforest type), and Move Tree and NETDOM (for intraforest type) Perform pre-migration tasks Develop a testing strategy for upgrading and implementing a pilot migration Prepare the environment for upgrade. Considerations include readiness remediation Plan to install or upgrade DNS Plan the upgrade for hardware, software, and infrastructure

Assess current hardware Assess and evaluate security implications. Considerations include physical security, delegating control to groups, and evaluating postmigration security risks Assess and evaluate application compatibility. Considerations include Web Server, Microsoft Exchange, and line of business (LOB) applications. Assess the implications of an upgrade for network services. Considerations include RAS, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, and thirdparty DNS. Assess security implications. Considerations include physical security, certificate services, SID history, and evaluating post-migration security risks Identify upgrade paths. Considerations include O/S version and service packs Develop a recovery plan. Considerations include Security Account Manger, WINS, DHCP, and DNS Upgrade the PDC, the BDCs, the application servers, and the RAS servers Implement system policies as Group Policies Implement replication bridges as necessary

Decide when to switch to native mode If necessary, develop a procedure for restructuring. Create a Windows 2000 target domain, if necessary Create trusts as necessary Create OUs Create sites Reapply account policies and user rights in the Windows 2000 Group Policy Plan for migration Migrate groups and users Migrate local groups and computer accounts Verify the functionality of Exchange. Considerations include service accounts and mailboxes Map mailboxes Test the deployment Implement disaster recovery plans Have a plan to restore to a pre-migration environment Perform post-migration tasks Redefine DACLS Back up source domains Decommission source domains and redeploy domain controllers Other Other Other

[Link]

Any migration procedure should define the reasons for migration, steps involved, fallback precautions, and other important factors that can influence the migration process. After finalizing these items, the migration can begin. Identifying Migration Objectives Two underlying philosophies influence technology upgrades, each philosophy working against the other. The first is the expression If it aint broke, dont fix it. Obviously, if an organization has a functional, easy-to-use, and well-designed Windows Server 2003/2008 infrastructure, popping in that Windows Server 2008 R2 DVD and upgrading might not be so appealing. The second philosophy is something along the lines of Those who fail to upgrade their technologies perish. Eventually, all technologies become outdated and unsupported. Choosing a pragmatic middle ground between these two philosophies effectively depends on the factors that drive an organization to upgrade. If the organization has critical business needs that can be satisfied by an upgrade, such an upgrade might be a good idea. If, however, no critical need exists, it might be wise to wait until the next iteration of Windows or a future service pack for Windows Server 2008 R2. Establishing Migration Project Phases After the decision is made to upgrade, a detailed plan of the resources, timeline, scope, and objectives of the project should be outlined. Part of any migration plan requires establishing either an ad-hoc project plan or a professionally drawn-up project plan. The migration plan assists the project managers of the migration project to accomplish the planned objectives in a timely manner with the correct application of resources. The following is a condensed description of the standard phases for a migration project: Discovery The first portion of a design project should be a discovery, or fact-finding, portion. This section focuses on the analysis of the current environment and documentation of the analysis results. Current network diagrams, server locations, wide area network (WAN) throughputs, server application dependencies, and all other networking components should be detailed as part of the Discovery phase. Design The Design portion of a project is straightforward. All key components of the actual migration plan should be documented, and key data from the Discovery phase should be used to draw up design and migration documents. The project plan itself would normally be drafted during this phase. Because Windows Server 2008 R2 Active Directory is not dramatically different from Windows Server 2003 or 2008, significant reengineering of an existing Active Directory environment is not necessary. However, other issues such as server placement, new feature utilization, and changes in AD DS replication models should be outlined. Prototype The Prototype phase of a project involves the essential lab work to test the design assumptions made during the Design phase. The ideal prototype would involve a mock production environment that is migrated from Windows Server 2003/2008 to Windows Server 2008 R2. For Active Directory, this means creating a production domain controller (DC) and then isolating it in the lab and seizing the Flexible Single Master Operations (FSMO) roles with a server in the lab. The Active Directory migration can then be performed without affecting the production environment. Step-by-step procedures for the migration can also be outlined and produced as deliverables for this phase. Pilot The Pilot phase, or Proof-of-Concept phase, involves a production test of the migration steps, on a limited scale. For example, a noncritical server could be upgraded to Windows Server 2008 R2 in advance of the migration of all other critical network servers.

In a slow, phased migration, the Pilot phase would essentially transition into Implementation, as upgrades are performed slowly, one by one. Implementation The Implementation portion of the project is the full-blown migration of network functionality or upgrades to the operating system. As previously mentioned, this process can be performed quickly or slowly over time, depending on an organizations needs. It is, subsequently, important to make the timeline decisions in the Design phase and incorporate them into the project plan. Training and support Learning the ins and outs of the new functionality that Windows Server 2008 R2 can bring to an environment is essential in realizing the increased productivity and reduced administration that the OS can bring to the environment. Consequently, it is important to include a Training portion into a migration project so that the design objectives can be fully realized.

Comparing the In-Place Upgrade Versus New Hardware Migration Methods Due to the changes in Windows Server 2008 R2, the in-place upgrade path is limited to servers using the 64-bit version of Windows Server 2003 and Windows Server 2008. Depending on the type of hardware currently in use in a Windows Server 2003/2008 network, this type of migration strategy might be an option. Often, however, it is more appealing to simply introduce newer systems into an existing environment and retire the current servers from production. This technique normally has less impact on current environments and can also support fallback more easily. Note Because Windows Server 2008 R2 is a 64-bit only operating system, upgrades from 32-bit versions of older operating systems are not supported. Upgrades from Windows 2000 Server are also not supported.

Determining which migration strategy to use depends on one additional factor: the condition of the current hardware environment. If Windows Server 2003/2008 is taxing the limitations of the hardware in use, it might be preferable to introduce new servers into an environment and simply retire the old Windows Server 2003/2008 servers. This is particularly true if the existing servers are veterans of previous upgrades, maybe transitioning from Windows 2000 Server to Windows Server 2003 to Windows Server 2008. If, however, the hardware in use for Windows Server 2003/2008 is newer and more robust, and could conceivably last for another two to three years, it might be easier to simply perform in-place upgrades of the systems in an environment. In most cases, organizations take a hybrid approach to migration. Older hardware, 32-bit systems, or Windows Server 2003 domain controllers are replaced by new hardware running Windows Server 2008 R2. Newer Windows Server 2008 64-bit systems are instead upgraded in place to Windows Server 2008 R2. Consequently, auditing all systems to be migrated and determining which ones will be upgraded and which ones will be retired are important steps in the migration process. Identifying Migration Strategies: Big Bang Versus Phased Coexistence As with most technology implementations, there are essentially two approaches in regard to deployment: a quick Big Bang approach or a slower phased coexistence approach. The Big Bang option involves the entire Windows Server 2003/2008 infrastructure being quickly replaced, often over the course of a weekend, with the new Windows Server 2008 R2 environment; whereas the phased approach involves a slow, server-by-server replacement of Windows Server 2003/2008.

Each approach has its particular advantages and disadvantages, and key factors to Windows Server 2008 R2 should be taken into account before a decision is made. Few Windows Server 2008 R2 components require a redesign of current Windows Server 2003/2008 design elements. Because the arguments for the Big Bang approach largely revolve around not maintaining two conflicting systems for long periods of time, the similarities between Windows Server 2003/2008 and Windows Server 2008 R2 make many of these arguments moot. Windows Server 2008 R2 domain controllers can easily coexist with Windows Server 2003/2008 domain controllers. With this point in mind, it is more likely that most organizations will choose to ease into Windows Server 2008 R2, opting for the phased coexistence approach to the upgrade. Because Windows Server 2008 R2 readily fits into a Windows Server 2003/2008 environment, and vice versa, this option is easily supported. Exploring Migration Options As previously mentioned, the Windows Server 2008 R2 and Windows Server 2003/2008 Active Directory domain controllers coexist together very well. The added advantage to this fact is that there is greater flexibility for different migration options. Unlike migrations from NT 4.0 or nonMicrosoft environments such as Novell NDS/eDirectory, the migration path between these two systems is not rigid, and different approaches can be used successfully to achieve the final objectives desired. In this article, three Windows Server 2008 R2 migration scenarios are explored: Big Bang migration This scenario upgrades all domain controllers in a short span of time. This is typically suitable only for single domain and small organizations. Phased migration This scenario takes a phased coexistence approach and upgrades the domain controllers in phases over an extended period of time. During this time, there is coexistence between the existing versions of Active Directory and the new Windows Server 2008 R2 Active Directory Domain Services. This is typically the approach used when there are multiple domains or for large organizations. Multiple domain consolidation migration A variation on the phased upgrade, the multiple domain consolidation migrates the existing domains to a new Windows Server 2008 R2 Active Directory domain. This is the typical approach when there are problems with the existing domains, too many domains, or when merging organizations.

[Link] Blog for AD migration from 2k3 to 2k8

[Link]

[Link] Domain Controller time article

[Link]

Demos and articles migrating AD domains

[Link] Migration forums

[Link] Migration expert

[Link]

Migration check list

You will have to cover at least the following: Collect diagrams configuration of current DNS Collect diagrams and configuration of current network structure -- include bandwidth, remote locations and stability Collect listings of all servers and their criticality Collect listing of workstations that will be affected Understand how all of the servers and workstations interrelate

 Collect information on the security policies or the requirements if you have to create a security policy Determine the type of migration (post restructure, pre-restructure, pristine build or upgrade) Determine the rights, objects and policies that will need to be migrated. Determine the fall back procedures in case of failure This involved procedures for servers, backups, secondary systems, etc. Then you start the development the plans: User education and notification plan (this gets missed so often) IT training plan DNS structure and implementation plan (must be completed first) AD installation and implementation/migration plan Must include fallback plan Must have interim operations plans (how to support) Must have interim functionality plan (how replication, WINS, DNS and logins will be working) Installation of AD Installation/upgrade of servers Trusts required and how to install Sites that will be installed Hardware required Here is the post-AD installation planning: Must include cleanup of old accounts, groups, ACLS, etc. Retirement of old systems Retirement of old domains Move to NATIVE mode Upgrading other servers (applications, Web systems, etc.) Support plan for the migration and post migration Here is the group policy planning: Development of group policy for user accounts, passwords, security GP for event logs, desktops, etc. Who has access to modify group policy Here is the operations planning: Who will be administrating the AD and each piece of the AD Help desk functions

 IT server administration functions Well, that is my quick list. There is more of course, and the list is a little dynamic based on the type of migration that occurs.