Tài liệu Module 2: Choosing a Migration Path to Windows 2000 Active Directory doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.1 MB, 28 trang )
#
&RQWHQWV##
#
2YHUYLHZ#
Module 2: Choosing a
Migration Path to
Windows 2000 Active
Directory
4#
,QWURGXFWLRQ#WR#&KRRVLQJ#D#0LJUDWLRQ#3DWK#
5#
,GHQWLI\LQJ#WKH#([LVWLQJ##
'RPDLQ#(QYLURQPHQW#
7#
*DWKHULQJ#,QIRUPDWLRQ#$ERXW#WKH##
&XUUHQW#1HWZRUN#(QYLURQPHQW#
'HILQLQJ#*RDOV#IRU#0LJUDWLRQ#
([DPLQLQJ#WKH#$FWLYH#'LUHFWRU\#'HVLJQ#
'HWHUPLQLQJ#3RVVLEOH#0LJUDWLRQ#3DWKV#
5HYLHZ#
#
9#
<#
44#
46#
55#
#
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2000 Microsoft Corporation. All rights reserved.
Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.)
Lead Program Manager: Angie Fultz
Instructional Designer: Robert Deupree (S&T OnSite)
Subject Matter Expert: Brian Komar (3947018 Manitoba Inc)
Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T Onsite)
Testers: Testing Testing 123
Instructional Design Consultants: Susan Greenberg, Paul Howard
Instructional Design Contributor: Kathleen Norton
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor: Shawn Jackson (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Onsite)
Multimedia Development: Kelly Renner (Entex)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Courseware Testing: Data Dimensions, Inc.
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T Onsite)
Manufacturing Support: Laura King (S&T Onsite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Dean Murray, Ken Rosen
Group Product Manager: Robert Stewart
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
LLL#
,QVWUXFWRU#1RWHV#
3UHVHQWDWLRQ=#
93#0LQXWHV#
#
/DE=#
3#0LQXWHV#
This module introduces students to the different ways in which they can
accomplish migration to Microsoft® Windows® 2000, the considerations for
choosing one path over another, and the decision points that they can use to
determine an appropriate path for an enterprise, based on the current network
structure and migration goals of the enterprise.
There is no lab for this module.
At the end of this module, students will be able to:
„#
Identify the components of the existing Microsoft Windows NT® version
4.0 domain structure that need to be documented prior to migration.
„#
Identify the areas of their current network environments that need to be
documented and gather information about the current computing
environment.
„#
Identify and prioritize their migration goals.
„#
Examine their organization's Active Directory™ directory service design.
„#
Examine the different ways in which organizations can choose to migrate to
the Active Directory infrastructure.
0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the materials and preparation tasks that are
needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
„#
Microsoft PowerPoint® file 2010A_02.ppt
„#
Module 2, “Choosing a Migration Path to Windows 2000 Active Directory”
3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„#
Read all of the materials for this module.
„#
Read the white paper, “Planning Migration from Microsoft Windows NT to
Microsoft Windows 2000,” on the Student Materials compact disc.
„#
Read chapter 10 of the Windows 2000 Server Deployment Planning Guide,
“Determining Domain Migration Strategies”, on the Student Materials
compact disc.
„#
Read Appendix A: Managing and Mitigating Risks During a Migration, on
the Student Materials compact disc.
LY#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
„#
Introduction to Choosing a Migration Path
Emphasize that choosing a migration path is the first step in developing a
migration strategy. Provide an overview of the steps involved in choosing a
path.
„#
Identifying the Existing Domain Environment
Explain the components of the existing Windows NT 4.0 domain structure
that should be documented prior to migration.
„#
Gathering Information About the Current Network Environment
Explain what information to gather about the current network environment
and the tools that students can use to gather this information. List some of
the areas of the current network environment that need to be documented.
„#
Defining Goals for Migration
Define business goals and migration goals. Clearly delineate between the
two types of goals: Business goals define a business need or requirement,
whereas migration goals specify the way that Windows 2000 meets the
business need or solves a business problem. Explain some of the business
reasons for migrating to Active Directory. Discuss the business goals and
explain how they should map to migration goals.
„#
Examining the Active Directory Design
Because the Active Directory design defines the end point for the migration,
explain the need to analyze the design from the perspective of the migration
goals. Give an example of a conflict that may emerge when comparing the
goals of the Active Directory design with migration goals.
„#
Determining Possible Migration Paths
Explain the various ways in which organizations can migrate to Windows
2000 Active Directory. Make sure that students clearly understand the
differences between the migration paths, because the rest of the course
depends on comprehension of these concepts.
The decision points for each migration path will help organizations select an
appropriate route to Windows 2000. Ask students what migration path their
organizations have chosen and which decision points helped them choose.
Explain the decision points associated with selecting upgrade as the
migration path. Explain the reasons for and against upgrading.
Explain the decision points associated with selecting restructure as the
migration path. Explain the reasons for and against restructuring.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
4#
2YHUYLHZ#
6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
„
,QWURGXFWLRQ#WR#&KRRVLQJ#D#0LJUDWLRQ#3DWK
/HDG0LQ#
„
,GHQWLI\LQJ#WKH#([LVWLQJ#'RPDLQ#(QYLURQPHQW
„
*DWKHULQJ#,QIRUPDWLRQ#$ERXW#WKH#&XUUHQW#1HWZRUN#
(QYLURQPHQW
„
'HILQLQJ#*RDOV#IRU#0LJUDWLRQ
„
([DPLQLQJ#WKH#$FWLYH#'LUHFWRU\#'HVLJQ
„
'HWHUPLQLQJ#3RVVLEOH#0LJUDWLRQ#3DWKV
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#WKH#VWHSV#LQYROYHG#LQ#
VHOHFWLQJ#D#PLJUDWLRQ#SDWK#
IRU#DQ#HQWHUSULVH/#EDVHG#RQ#
WKH#FXUUHQW#QHWZRUN#
VWUXFWXUH#DQG#PLJUDWLRQ#
JRDOV#RI#WKH#HQWHUSULVH1#
The first step in developing a migration strategy is to select an appropriate
migration path to the Microsoft® Windows® 2000 Active Directory™ directory
service. Selecting a migration path can be a complex decision, but fortunately
there is no one right or wrong solution. One organization’s perfect solution to
migration may be inappropriate for another organization because of a difference
in business needs and a tolerance for risk to production and business
environments.
When selecting a migration path that meets your organizational or business
needs, you should carefully compare your goals to the capabilities of each
migration path. The one that you choose will affect the remainder of migration
planning.
At the end of this module, you will be able to:
„#
Identify the components of the existing Microsoft Windows NT® version
4.0 domain structure that need to be documented prior to migration.
„#
Identify the areas of your current network environment that need to be
documented, and gather information about the current computing
environment.
„#
Identify and prioritize your migration goals.
„#
Examine the Active Directory design of your organization.
„#
Examine the different ways in which organizations can choose to migrate to
the Active Directory infrastructure.
5#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
,QWURGXFWLRQ#WR#&KRRVLQJ#D#0LJUDWLRQ#3DWK#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#VWHSV#
LQYROYHG#LQ#FKRRVLQJ#D#
PLJUDWLRQ#SDWK1#
Gather information about the current network environment
Gather information about the current network environment
3
3
Define goals for migration
Define goals for migration
Examine the Active Directory design
Examine the Active Directory design
Determine possible migration paths
Determine possible migration paths
6
6
Evaluate upgrade decision points
Evaluate upgrade decision points
7
7
$YRLG#SURYLGLQJ#WRR#PXFK#
GHWDLO#KHUH1#7KH#SXUSRVH#RI#
WKLV#SDJH#LV#WR#SURYLGH#DQ#
RYHUYLHZ#RI#WKH#VWHSV#WR#
VHOHFW#D#PLJUDWLRQ#SDWK1#
2
2
5
5
:KHQ#FKRRVLQJ#D#PLJUDWLRQ#
SDWK/#DQ#HQWHUSULVH#PXVW«#
Identify the existing domain environment
Identify the existing domain environment
4
4
/HDG0LQ#
1
1
Evaluate restructure decision points
Evaluate restructure decision points
When selecting a migration path to Windows 2000 Active Directory, an
enterprise must:
1. Identify the existing domain environment.
Identifying the existing Windows NT 4.0 domain environment defines the
starting point for the migration and allows an organization to evaluate the
efficiencies and effectiveness of the current model in meeting the present
business needs.
2. Gather information about the current network environment.
Analyzing the impact that a migration will have on an organization’s
production environment requires a clear view of the information and
technologies that an organization uses and needs.
3. Define goals for migration.
The next step in selecting a migration path is to identify and prioritize your
migration goals. Your migration goals can relate to business or the
migration itself.
4. Examine the Active Directory design.
The Active Directory design identifies the migration project’s end goal, the
ideal domain infrastructure for an organization. You must conduct an initial
review of the Active Directory design, because the domain hierarchy it
proposes will strongly influence, if not dictate, the migration path that you
choose. Later, within the context of a domain upgrade or restructure plan, a
more thorough examination of the Active Directory design helps guide the
remaining migration planning and ensures that the business goals of the two
designs are aligned.
5. Determine possible migration paths.
This step involves identifying the different ways in which you can
accomplish migration to Windows 2000 and then carefully comparing your
goals to the capabilities of each migration path in order to select a path that
meets your needs.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
6. Evaluate upgrade decision points.
This step involves examining the decision points associated with selecting
upgrade as the migration path.
7. Evaluate restructure decision points.
This step involves examining the decision points associated with selecting
restructure as the migration path and the reasons for choosing one migration
path over another.
6#
7#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
,GHQWLI\LQJ#WKH#([LVWLQJ#'RPDLQ#(QYLURQPHQW#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#IDFWRUV#WR#
FRQVLGHU#ZKHQ#GHWHUPLQLQJ#
DQ#H[LVWLQJ#:LQGRZV#17#713#
GRPDLQ#VWUXFWXUH1#
/HDG0LQ#
,GHQWLI\LQJ#\RXU#GRPDLQ#
PRGHO#LV#DQ#LPSRUWDQW#VWHS#
WKDW#\RX#PXVW#WDNH#EHIRUH#
\RX#EHJLQ#XSJUDGLQJ#WR#DQ#
$FWLYH#'LUHFWRU\#
LQIUDVWUXFWXUH1#
„
'RPDLQ#0RGHO
„
([LVWLQJ#7UXVW#
5HODWLRQVKLSV
„
7KH#1XPEHU#DQG#
/RFDWLRQ#RI#
'RPDLQ#
&RQWUROOHUV#RQ#
„
$FFRXQWV#DQG#
$GPLQLVWUDWLRQ
Centralized
Headquarters
Decentralized
OU
OU
OU
OU
OU
OU
Headquarters
(PSKDVL]H#WKDW#WKLV#LV#WKH#
ILUVW#VWHS#LQ#VHOHFWLQJ#D#
PLJUDWLRQ#SDWK1#7KHVH#
FRPSRQHQWV#VKRXOG#EH#ZHOO#
GRFXPHQWHG#SULRU#WR#
PLJUDWLRQ1#
#
:LQGRZV#17#713#5HVRXUFH#
.LW#XWLOLWLHV#DQG#WKLUG0SDUW\#
WRROV#FDQ#DVVLVW#LQ#
GRFXPHQWLQJ#GRPDLQ#
DFFRXQW#GHWDLOV1#
ZDQW#WR#DVN#VWXGHQWV#ZKDW#
WKLUG0SDUW\#GRPDLQ#DFFRXQW#
DQG#DGPLQLVWUDWLRQ#WRROV#
WKH\#DUH#IDPLOLDU#ZLWK1#
#
)RU#ODUJHU#RUJDQL]DWLRQV/#WKH#
GRFXPHQWDWLRQ#UHTXLUHG#E\#
WKLV#VWHS#LV#D#ODUJH#
XQGHUWDNLQJ1#7KH#PLJUDWLRQ#
SURMHFW#SODQ#VKRXOG#DOORZ#
DGHTXDWH#WLPH#IRU#WKLV#NH\#
PLJUDWLRQ#SODQQLQJ#VWHS1#
Consider the following when you examine your existing Windows NT directory
services.
'RPDLQ#0RGHO#
Most organizations have a Windows NT 4.0 domain model that includes several
account domains and many resource domains. When migrating or upgrading
existing domains to Windows 2000, your existing domain structure will
influence the Windows 2000 migration path that you ultimately choose. It may
also pinpoint unnecessary complexities or inefficient domains that were
reactively created for an obsolete purpose or function.
([LVWLQJ#7UXVW#5HODWLRQVKLSV#
Document the existing one-way and two-way trust relationships in your
network. Identify any domains and trust relationships that you do not want to
move into your Windows 2000 forest. Domains that are upgraded to
Windows 2000 domains and designated as part of the same forest will connect
to other Windows 2000 domains through transitive trust relationships. If you
upgrade your domains to Windows 2000, you will need to create explicit trust
relationships between Windows 2000 domains and down level domains that are
not moved into the new forest as required.
7KH#1XPEHU#DQG#/RFDWLRQ#RI#'RPDLQ#&RQWUROOHUV#RQ#
Determining the number and location of domain controllers on your network
will allow you to plan the migration for each domain. Identify primary domain
controllers (PDCs) and backup domain controllers (BDCs) on physical and
logical network diagrams. Note their geographical locations and configuration
details.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
$FFRXQWV#DQG#$GPLQLVWUDWLRQ#
Document the domain location of user, group, and computer accounts. The
number and distribution of accounts may also affect the migration path that you
ultimately choose. Record key account properties, such as group account
membership, permissions to shares, and special rights assignments. This
information will be used during the pilot trial migrations to validate the
deployment plan. The information can also be used to determine whether any
accounts in the enterprise are no longer used so that obsolete and inaccurate
data does not migrate into the new directory service.
Some Information Technology (IT) organizations strictly control all
administrative functions. Others may centralize security assignment but allow
for decentralized day-to-day user administration. Examining and documenting
the domain administration culture will reveal the type of, and reasons for,
existing administrative traditions and may expose security gaps, outdated
policies, or redundancies.
8#
9#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
*DWKHULQJ#,QIRUPDWLRQ#$ERXW#WKH#&XUUHQW#1HWZRUN#
(QYLURQPHQW#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#WR#JDWKHU#
LQIRUPDWLRQ#DERXW#WKH#
FXUUHQW#FRPSXWLQJ#
HQYLURQPHQW1#
/HDG0LQ#
3ODQQLQJ#D#PLJUDWLRQ#WR#
:LQGRZV#5333#$FWLYH#
'LUHFWRU\#UHTXLUHV#WZR#
LPSRUWDQW#VWHSV=#
GRFXPHQWLQJ#\RXU#H[LVWLQJ#
QHWZRUN¶V#SK\VLFDO#DQG#
ORJLFDO#WRSRORJ\/#DQG#
HQVXULQJ#D#FRPSOHWH#DQG#
DFFXUDWH#LQYHQWRU\#RI#\RXU#
RUJDQL]DWLRQ¶V#DSSOLFDWLRQV/#
LQIRUPDWLRQ/#DQG#WHFKQRORJ\1#
(PSKDVL]H#WKDW#WKLV#LV#WKH#
VHFRQG#VWHS#LQ#GHYHORSLQJ#D#
PLJUDWLRQ#SODQ1#
#
$VN#VWXGHQWV#DERXW#RWKHU#
DUHDV#RI#WKH#QHWZRUN#
HQYLURQPHQW#WKDW#ZLOO#QHHG#
WR#EH#GRFXPHQWHG1#
#
5HPLQG#VWXGHQWV#WKDW#WKLV#
VWHS#VKRXOG#LGHQWLI\#DQ\#
ORFDWLRQV/#H[WHUQDO#WR#WKH#
:LQGRZV#17#6$0#
GDWDEDVH/#ZKHUH#XVHU#
DFFRXQW#LQIRUPDWLRQ#PLJKW#
EH#VWRUHG1#0LFURVRIW#
([FKDQJH#LV#DQ#H[DPSOH#RI#
VXFK#D#ORFDWLRQ1#
Network
Network
Infrastructure
Infrastructure
Hardware
Hardware
and
and
Software
Software
DNS
DNS
Infrastructure
Infrastructure
Information
Information
Store
Store
Security
Security
File, Print, and Web Server
File, Print, and Web Server
Line of Business
Line of Business
Applications
Applications
Network architects must understand the current network environment before
they can plan a move to a better one. Moreover, the current environment is an
important reference point when evaluating whether progress is necessary. The
following are some areas of your current network environment that you need to
document.
,QIRUPDWLRQ#6WRUH#,QYHQWRU\#
An information store inventory details what the organization needs to know to
run its business and operations. It specifies where and how information is stored
(such as in databases) and how data is moved and shared throughout the
organization. It identifies data-management policies, information origination,
data ownership, and patterns of information consumption and production in the
organization. Your inventory should also address statutory or legal restrictions,
such as encryption, that affect your data and information needs.
+DUGZDUH#DQG#6RIWZDUH#,QYHQWRU\#
Conduct hardware and software inventories of all servers and client computers
in use on your network. Document routers, printers, modems, and other
hardware, such as redundant array of independent disks (RAID).
Your software inventory should list all applications found on servers and should
include version numbers of dynamic-link libraries (DLLs) associated with the
applications on your system. You should also ensure that the latest basic
input/output system (BIOS) is installed. Document hardware drivers and any
service packs that you might have applied to your operating system or
applications. Also, document network configurations for servers and client
computers, such as Internet Protocol (IP) addresses, primary Domain Name
System (DNS) Server, and gateway addresses.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
1HWZRUN#,QIUDVWUXFWXUH#
When documenting your network infrastructure, obtain hardware data to
document your infrastructure’s physical structure and software data to
document the existence and configuration of the protocols in use on your
network. You also need to document the logical organization of your network,
name and address resolution methods, and the existence and configuration of
services used, such as the Windows Internet Name Service (WINS) topology,
and Dynamic Host Configuration Protocol (DHCP) reservations, and option
configurations to ensure that these services function appropriately after
migration. Documenting geographic locations, physical connectivity, and
available bandwidth between them will also assist you in making appropriate
installation decisions as they pertain to replication. In addition, you should
document statically assigned IP address assignments and the presence of other
network operating systems.
'16#,QIUDVWUXFWXUH#
Because an Active Directory forest requires a unique DNS namespace, it is
important to document any DNS namespaces in use in your organization.
Identify all zones and primary and secondary servers, in addition to the
configuration of zone transfers. You should also document the DNS software
versions in use, such as Berkeley Internet Name Domain (BIND).
)LOH/#3ULQW/#:HE#6HUYHUV/#3'&V/#DQG#%'&V#
Document the configuration details of all servers. Identify whether any of these
servers rely on special protocols or drivers. For instance, if a product needs to
reside on a BDC, the functionality of this product might be impacted when the
backup controller is upgraded to Windows 2000. As with any computer,
evaluate the hardware and associated drivers on these computers for
Windows 2000 compatibility through the Hardware Compatibility List (HCL).
/LQH#RI#%XVLQHVV#$SSOLFDWLRQV#
Identify all applications that your enterprise must have to perform its core
mission. Determine any dependencies that these applications have on network
protocols, versions of operating systems, or connectivity. Evaluate these
applications for compatibility with Windows 2000.
:#
;#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
6HFXULW\#
Review your security standards and procedures for mobile and desktop users,
internal and external networks, and dial-up and remote access accounts.
Determine whether a centralized group or several groups perform the
administrative tasks—such as creating users, groups, and file shares; changing
passwords; and configuring device and object attributes. Document the specific
rights and membership lists of these groups.
Document the types of relationships that currently exist among office locations,
business units, and divisions in your organization. Document any existing user
and enterprise security policies. Identify what types of information are available
to which groups, and any significant restrictions required for certain types of
information, such as accounting data. Document any guidelines that exist
regarding appropriate network usage; for example, whether staff members can
access the Web and for what purposes, and what constitutes prohibited or
inappropriate access. The relationships that your company has with outside
vendors, customers, and joint-venture or business partners will also affect the
security measures in your migration strategy.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
<#
'HILQLQJ#*RDOV#IRU#0LJUDWLRQ#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#VRPH#EXVLQHVV#
UHDVRQV#IRU#PLJUDWLQJ#WR#
$FWLYH#'LUHFWRU\#DQG#KRZ#
EXVLQHVV#JRDOV#VKRXOG#PDS#
WR#PLJUDWLRQ#JRDOV1#
/HDG0LQ#
„
%XVLQHVV#*RDOV
z
„
0LJUDWLRQ#JRDOV#FDQ#UHODWH#WR#
WKH#EXVLQHVV#RU#WKH#
PLJUDWLRQ#LWVHOI1#
0LJUDWLRQ#*RDOV
z
$UH#VWDWHPHQWV#RI#ZKDW#\RX#H[SHFW#WKH#PLJUDWLRQ#WR#DFFRPSOLVK
z
„
&DQ#EH#XVHG#WR#DVVHVV#WKH#VXFFHVV#RI#D#PLJUDWLRQ#SURMHFW
0DS#%XVLQHVV#*RDOV#WR#0LJUDWLRQ#*RDOV
z
(PSKDVL]H#WKDW#WKH#NH\#WR#
WKH#VXFFHVV#RI#PLJUDWLRQ#LV#
GHOLYHULQJ#EXVLQHVV#YDOXH1#
7KHVH#DUH#MXVW#D#IHZ#RI#WKH#
EXVLQHVV#JRDOV#WKDW#DQ#
RUJDQL]DWLRQ#PLJKW#KDYH#IRU#
PLJUDWLQJ#WR#:LQGRZV#53331#
#
2WKHU#EXVLQHVV#JRDOV#PD\#
HQFRPSDVV#PDQDJHDELOLW\/#
VFDODELOLW\/#VHFXULW\#RU#
DYDLODELOLW\/#QHHGV#RU#
UHTXLUHPHQWV1#
#
$VN#VWXGHQWV#ZKDW#EXVLQHVV#
JRDOV#RU#QHHGV#WKHLU#
RUJDQL]DWLRQV#KDYH#UHODWLYH#
WR#PLJUDWLRQ1#
#
'LVFXVV#WKH#EXVLQHVV#JRDOV#
DQG#PDS#WKHP#WR#PLJUDWLRQ#
JRDOV1#&RQWLQXDOO\#
HPSKDVL]H#WKDW#WKH#EXVLQHVV#
PXVW#GULYH#WKH#GHFLVLRQ#WR#
PLJUDWH#DQG#ZLOO#KDYH#D#
JUHDW#LPSDFW#RQ#WKH#
PLJUDWLRQ#SDWK#WKDW#WKH\#
FKRRVH1#
'ULYH#WKH#GHFLVLRQ#WR#PLJUDWH#WR#:LQGRZV#5333
7R#HQVXUH#WKH#DOLJQPHQW#RI#EXVLQHVV#DQG#WHFKQRORJ\#REMHFWLYHV
The key to the success of a Windows 2000 migration is delivering business
value by creating elements of technology and combining them into practical
solutions that address pressing business problems and leverage opportunities. In
creating a migration strategy, it is critical to identify and prioritize your
migration goals and to understand the implications of your choices. Your
migration goals can be business-related or relate to the migration itself.
%XVLQHVV#*RDOV#
Business needs, requirements, and goals drive the decision to migrate to
Windows 2000. It is important to define how the technology maps to the needs
and functions of the organization, thereby aligning technology with business
needs and goals. Technology exists to solve business problems and meet
business goals. If a function of technology does not exist to accomplish a
particular business goal, migration impedes functions that do meet business
goals and solve business problems.
0LJUDWLRQ#*RDOV#
Migration goals are statements of what you expect the migration to accomplish.
Migration goals can be influenced by such concerns as the effect of disruption
on production systems. These goals can also be used to assess the success of a
migration project. In other words, if a migration goal requires that the uptime
during migration is 85 percent and the goal is not met, the project cannot be
considered successful.
43#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
0DSSLQJ#%XVLQHVV#*RDOV#WR#0LJUDWLRQ#*RDOV#
Migration goals should map to business goals to ensure the alignment of
business and technology objectives. During the migration project, when
conflicts arise, this mapping helps remind the project team of the business
interests that precipitated migration objectives. The following table is an
example of how business goals and needs should map to migration goals.
Business goals
Map to migration goals
Minimize administrative overhead
during migration
Seamless migration of user accounts.
Users maintain their passwords.
Administrators minimize the number of visits to
the workstation.
No requirement to set up new permissions for
resources.
Maximize incremental value
The enterprise should obtain earliest access to key
features of the new platform.
Maintain domain security
There should be no impact on security policy,
other than improvement.
Minimize disruption to the business
environment
User access to data and resources should be
maintained during and after the migration.
User access to applications should be maintained
during and after the migration.
The user’s familiar environment should be
maintained during and after the migration.
Maintain or improve security of
confidential customer information
Implement encrypting file system using
certificates provided by Certificate Services.
Improve support of geographically
dispersed end users
Maximize the administrative tool capabilities for
remote use and resource administration.
Lower total cost of ownership and
administration
Implement Group Policy for software
distribution and updates.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
([DPLQLQJ#WKH#$FWLYH#'LUHFWRU\#'HVLJQ#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#WR#H[DPLQH#
WKH#$FWLYH#'LUHFWRU\#GHVLJQ#
DQG#WR#JLYH#DQ#H[DPSOH#RI#D#
FRQIOLFW#WKDW#PD\#HPHUJH1#
Business Goal: Reduce Total
Cost of Ownership
/HDG0LQ#
&RQIOLFWV#PD\#HPHUJH#ZKHQ#
FRPSDULQJ#WKH#JRDOV#RI#WKH#
$FWLYH#'LUHFWRU\#GHVLJQ#ZLWK#
PLJUDWLRQ#JRDOV#DQG#ZKHQ#
YDOLGDWLQJ#WKH#SURSRVHG#
$FWLYH#'LUHFWRU\#GHVLJQ#
DJDLQVW#WKH#FXUUHQW#QHWZRUN#
HQYLURQPHQW1#
Analyze
Analyze
Multiple Forests
,GHQWLI\#*RDO#&RQIOLFWV
„
,GHQWLI\#'HVLJQ#&RQIOLFWV
„
(PSKDVL]H#WKDW#FRQIOLFWV#
SUHVHQW#VLJQLILFDQW#ULVN#WR#
PLJUDWLRQ/#DQG#WKDW#WKHVH#
FRQIOLFWV#PXVW#EH#UHVROYHG#
SULRU#WR#EHJLQQLQJ#DQ#
XSJUDGH1#
„
Total Cost of
Ownership increases
5HVROYH#&RQIOLFWV
Conflicts or inconsistencies may emerge when comparing the goals of the
Active Directory design with the goals of the migration. They may also appear
when validating the proposed Active Directory design against the current
network environment. Defining a process to first identify and then resolve
design-related conflict is critical to the success of your migration.
,GHQWLI\LQJ#*RDO#&RQIOLFWV#
After you have identified the goals of the proposed Active Directory design,
verify that the migration goals reflect them. The Active Directory goals should
support and complement the migration goals, and vice versa.
Active Directory design goals and migration goals in conflict with one another
present a high risk to the migration. For example, if a business goal for
migration is to reduce the total cost of ownership (TCO), and your Active
Directory design proposes multiple forests, a conflict exists.
,GHQWLI\LQJ#'HVLJQ#&RQIOLFWV#
Conflicts may surface when comparing components of the Active Directory
design and the current network environment that create barriers or risks to the
upgrade. For example, if the proposed Active Directory design requires that
sites be independently fault-tolerant, but you have a single domain controller
located across an unreliable wide area network (WAN) link, a conflict exists.
44#
45#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
5HVROYLQJ#&RQIOLFWV#
Conflicts between the Active Directory design and your migration goals or the
current network environment must be mitigated before upgrade begins. You can
resolve these conflicts by:
„#
Identifying the business need for the proposed design or strategy.
„#
Ensuring that the business need is reflected in your migration goals.
„#
Ensuring the alignment of Active Directory goals with the migration goals.
If you cannot resolve the conflict, either the proposed Active Directory design
or the migration plans will need to change to accommodate the other.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
46#
‹#'HWHUPLQLQJ#3RVVLEOH#0LJUDWLRQ#3DWKV#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#GLIIHUHQW#
PLJUDWLRQ#SDWKV1#
/HDG0LQ#
Domain Upgrade
Domain Upgrade
'HSHQGLQJ#RQ#WKHLU#
PLJUDWLRQ#JRDOV/#
RUJDQL]DWLRQV#PD\#FKRRVH#
RQO\#WR#XSJUDGH/#RQO\#WR#
UHVWUXFWXUH/#RU#WR#XSJUDGH#
IROORZHG#E\#UHVWUXFWXUH1#
Upgrade
Upgrade
Restructure
Restructure
Domain Restructure
Domain Restructure
(PSKDVL]H#WKDW#WKH#WHUP#
PLJUDWLRQ#LV#XVHG#WKURXJKRXW#
WKLV#FRXUVH#DV#D#JHQHUDO#
WHUP#WKDW#PD\#UHIHU#WR#DQ\#RI#
WKHVH#SURFHVVHV1#
#
'XULQJ#\RXU#GHOLYHU\/#EH#
FRQVFLHQWLRXV#DERXW#XVLQJ#
WKH#DSSURSULDWH#WHUPV#
EHFDXVH#VWXGHQWV#PD\#
EHFRPH#FRQIXVHG#DERXW#WKH#
GLIIHUHQW#PLJUDWLRQ#SDWKV#
HDUO\#LQ#WKH#FRXUVH1#
#
(PSKDVL]H#WKDW#GRPDLQ#
PLJUDWLRQ#LV#D#YHU\#IOH[LEOH#
SURFHVV#ZLWK#PDQ\#SRVVLEOH#
SHUPXWDWLRQV1#
Organizations can choose to migrate to the Active Directory infrastructure in
one of the following ways:
„#
Domain upgrade. Organizations that are satisfied with their current domain
models or that cannot make major changes to their domain infrastructures
may choose to migrate to Active Directory by performing a domain
upgrade.
„#
Domain upgrade and then restructure. Organizations that have largely
effective domain structures but want to fix some parts of them—for
example, to incorporate small departmental domains—can upgrade to
provide a target for restructure and can then restructure the components that
no longer serve the needs of the organization effectively.
„#
Domain restructure. Organizations that want to redefine their domain
structures either in part or as a whole can perform a domain restructure. The
restructure methodology that you choose will vary depending on your
migration goals, existing domain model, and your Active Directory design
goals.
• Post-upgrade. You can perform a restructure after a domain upgrade, as
the second phase of migration to Windows 2000. The restructuring in
such a case is aimed at reworking components of the domain structure to
reduce complexity, or to bring resource domains with untrusted
administrators into a forest in a secure way.
47#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
• Instead of upgrade. Organizations may determine that their current
domain structures are obsolete or ineffective, or that they cannot afford
to jeopardize the stability of their current production environments
during migration. Organizations in this situation may find it easier to
design and build an ideal Windows 2000 environment that is isolated
from the current production environment. After the new Active
Directory forest has been built, they can begin domain restructuring by
migrating users, groups, and resources into the new infrastructure.
• Post-migration. Domain restructure occurs in a pure Windows 2000
environment after migration to accommodate operational or structural
changes to business, such as a merger or acquisition.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
48#
(YDOXDWLQJ#8SJUDGH#'HFLVLRQ#3RLQWV#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#GHFLVLRQ#
SRLQWV#DVVRFLDWHG#ZLWK#
GHWHUPLQLQJ#D#PLJUDWLRQ#
SDWK/#DQG#WKH#UHDVRQV#IRU#
FKRRVLQJ#RQH#PLJUDWLRQ#SDWK#
RYHU#DQRWKHU1#
„
5HDVRQV#7R#8SJUDGH=
z
z
/LPLWHG#VKRUW0WHUP#UHVRXUFHV
z
/HDG0LQ#
([LVWLQJ#LQIUDVWUXFWXUH#PHHWV#EXVLQHVV#QHHGV
,QIUDVWUXFWXUH#FKDQJH#ZRXOG#UHTXLUH#WRR#PXFK#FKDQJH#WR#
RUJDQL]DWLRQDO#RU#EXVLQHVV#SURFHVVHV
z
:DQW#WR#NHHS#H[LVWLQJ#,7#RUJDQL]DWLRQDO#DQG#DGPLQLVWUDWLYH#VWUXFWXUH
z
&KRRVLQJ#D#PLJUDWLRQ#SDWK#
FDQ#EH#D#FRPSOH[#GHFLVLRQ/#
EXW#KHUH#DUH#D#IHZ#SRLQWV#WR#
JHW#\RX#VWDUWHG1#
&DQ#SURYLGH#UHFRYHU\#WR#RULJLQDO#HQYLURQPHQW
z
/LWWOH/#LI#DQ\/#FKDQJH#LQ#QXPEHU#RI#PDFKLQHV#UHTXLUHG#WR#VXSSRUW
LQIUDVWUXFWXUH
z
z
([SODLQ#WKH#UHDVRQV#IRU#DQG#
DJDLQVW#XSJUDGLQJ1#
$SSOLFDWLRQ#LQFRPSDWLELOLW\#SUHYHQWV#UHVWUXFWXUH
Consider the following when determining whether to upgrade your domains.
5HDVRQV#7R#8SJUDGH#
Upgrade may be appropriate for you if:
„#
Your current domain structure meets your business objectives, and you can
carry out a two-phase migration in which you can upgrade to
Windows 2000 and then restructure to fix any problems.
„#
You determine that you can manage the migration without impacting your
production environment.
„#
Your existing infrastructure meets business needs.
„#
You have limited short-term resources.
„#
You determine that an infrastructure change would require too much change
to organizational or businesses processes.
„#
You want to keep the existing IT organizational and administrative
structure.
„#
You need recovery to original environment.
„#
You determine that there is little, if any change in number of computers
required to support infrastructure.
„#
An application incompatibility prevents restructure.
„#
You need a faster migration solution.
49#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
5HDVRQV#1RW#7R#8SJUDGH#
Upgrade may be inappropriate for you if:
„#
You do not want carry forward ineffective or outdated domain
infrastructure.
„#
You determine that an infrastructure change directly impacts your
production environment.
„#
You determine that there is little or no reduction in administrative costs.
„#
You determine that there is little or no reduction in number of servers
required
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
4:#
(YDOXDWLQJ#5HVWUXFWXUH#'HFLVLRQ#3RLQWV#
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#GHFLVLRQ#
SRLQWV#DVVRFLDWHG#ZLWK#
GHWHUPLQLQJ#D#PLJUDWLRQ#SDWK#
DQG#WKH#UHDVRQV#IRU#
FKRRVLQJ#RQH#PLJUDWLRQ#SDWK#
RYHU#DQRWKHU1#
„
z
/RZHU#DGPLQLVWUDWLYH#FRVWV
z
2SSRUWXQLW\#WR#IL[#LQHIIHFWLYH#RU#REVROHWH#GRPDLQ#
LQIUDVWUXFWXUH
z
&KRRVLQJ#D#PLJUDWLRQ#SDWK#
FDQ#EH#D#FRPSOH[#GHFLVLRQ/#
EXW#KHUH#DUH#D#IHZ#SRLQWV#WR#
FRQVLGHU1#
/RZHU#KDUGZDUH#FRVWV#ORQJ#WHUP
z
/HDG0LQ#
([SODLQ#WKH#UHDVRQV#IRU#DQG#
DJDLQVW#UHVWUXFWXULQJ1#
5HDVRQV#7R#5HVWUXFWXUH=
1R#SODQV#WR#UHXVH#ROG#LQIUDVWUXFWXUH
Consider the following when determining whether to restructure your domains.
5HDVRQV#WR#5HVWUXFWXUH#
Restructure may be appropriate for you if:
„#
Your domain structure meets your business objectives, and you can carry
out a two-phase migration in which you can upgrade to Windows 2000 and
then restructure to fix any problems.
„#
Your current domain structure does not meet your business objectives.
„#
You determine that an upgrade will negatively impact your production
environment.
„#
You want to lower long-term hardware costs and administrative costs.
„#
You need to fix ineffective or obsolete domain infrastructure.
„#
You do not plan to reuse old infrastructure.
4;#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
5HDVRQV#1RW#7R#5HVWUXFWXUH#
Restructure may be inappropriate for you if:
„#
Your current domain infrastructure meets business needs.
„#
The domain must stay in mixed mode.
„#
The new infrastructure requires new IT roles and responsibilities not yet
defined.
„#
There is a potential short-term increase in hardware costs.
Consider the following when determining whether to upgrade and then
restructure.
5HDVRQV#7R#8SJUDGH#$QG#7KHQ#5HVWUXFWXUH#
Upgrade followed by a restructure may be appropriate for you if:
„#
You need to fix ineffective or outdated domain infrastructure.
„#
You need to evolve departmental local area networks (LANs) into more
centralized infrastructure.
„#
You need recovery to the original environment.
„#
You need to keep development out of the production environment.
„#
You want to lower short-term hardware costs and administrative costs.
5HDVRQV#1RW#7R#8SJUDGH#$QG#7KHQ#5HVWUXFWXUH#
Upgrade followed by a restructure may be inappropriate for you if:
„#
The two-phased approach takes longer to plan.
„#
The two-phased approach takes longer to deploy.
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
4<#
&ODVV#'LVFXVVLRQ#$=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#
6OLGH#2EMHFWLYH#
7R#FKHFN#VWXGHQWV¶#
XQGHUVWDQGLQJ#RI#KRZ#WR#
FKRRVH#DQ#DSSURSULDWH#
PLJUDWLRQ#SDWK#IRU#DQ#
HQWHUSULVH#JLYHQ#LWV#FXUUHQW#
QHWZRUN#VWUXFWXUH#DQG#
PLJUDWLRQ#JRDOV1#
MKTG
FINANCE
ACCTS
MFG
/HDG0LQ#
+HUH#LV#DQ#H[DPSOH#RI#KRZ#
\RX#FDQ#VHOHFW#D#PLJUDWLRQ#
SDWK#IRU#DQ#HQWHUSULVH#JLYHQ#
LWV#FXUUHQW#QHWZRUN#VWUXFWXUH#
DQG#PLJUDWLRQ#JRDOV1#
$VN#VWXGHQWV#ZK\#D#GRPDLQ#
XSJUDGH#ZRXOG#QRW#EH#D#
JRRG#ILW#IRU#WKLV#PLJUDWLRQ#
VFHQDULR1#
HR
REMOTE
The IT management of a multinational oil company has determined that the
support and maintenance of the current network is time consuming and costly,
and that several million dollars can be saved each year by standardizing on the
Windows 2000 network platform and simplifying the domain environment. The
existing Windows NT 4.0 domain model consists of 8,000 user accounts
dispersed among more than 30 departmental and branch office domains joined
together with a complex web of trusts.
1. What are the key decision points for selecting a migration path in this
scenario?
Cost and administrative overhead in the form of support and
maintenance of the domains, in addition to complexity of the existing
domain model, will help determine the migration path.
____________________________________________________________
____________________________________________________________
2. What migration path best suits this company’s needs? Why?
Domain restructure will allow the company to minimize the number of
domains and trusts, which will simplify network manageability, thus
allowing cost savings to be realized.
____________________________________________________________
____________________________________________________________
53#
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
&ODVV#'LVFXVVLRQ#%=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#
6OLGH#2EMHFWLYH#
7R#FKHFN#VWXGHQWV¶#
XQGHUVWDQGLQJ#RI#KRZ#WR#
FKRRVH#DQ#DSSURSULDWH#
PLJUDWLRQ#SDWK#IRU#DQ#
HQWHUSULVH#JLYHQ#LWV#FXUUHQW#
QHWZRUN#VWUXFWXUH#DQG#
PLJUDWLRQ#JRDOV1#
California
Account
Domain
One way trusts
/HDG0LQ#
+HUH#LV#DQRWKHU#H[DPSOH#RI#
KRZ#\RX#FDQ#VHOHFW#D#
PLJUDWLRQ#SDWK#IRU#DQ#
HQWHUSULVH#JLYHQ#LWV#FXUUHQW#
QHWZRUN#VWUXFWXUH#DQG#
PLJUDWLRQ#JRDOV1#
$VN#VWXGHQWV#ZK\#D#GRPDLQ#
UHVWUXFWXUH#ZRXOG#QRW#EH#D#
JRRG#ILW#IRU#WKLV#PLJUDWLRQ#
VFHQDULR1#
California
Resource
Domain
Hong Kong
Resource
Domain
In 12 months, a small but growing manufacturer of electronics components
must begin production on a proprietary airplane guidance system for a major
commercial contract. This will require a workforce expansion of 20 percent.
The executive committee agrees with IT that migration is critical to providing
the level of security required by the confidentiality clause of the contract, but
insists that a migration path be identified quickly.
The company has standardized its desktop environment on Windows NT 4.0
Workstation and the current domain model is not complicated. Currently, there
is one Windows NT 4.0 master account domain, which holds all 10,000 user
accounts. One resource domain, a Windows NT 4.0 BDC, houses the inventory
and manufacturing databases, an e-mail server, and all U.S. computer accounts.
The second resource domain contains an e-mail server and the computer
accounts for the Hong Kong subsidiary.
1. What are the key decision points for selecting this migration path?
The short time frame and the uncomplicated domain model are key to
determining the migration path.
____________________________________________________________
____________________________________________________________
#
0RGXOH#5=#&KRRVLQJ#D#0LJUDWLRQ#3DWK#WR#:LQGRZV#5333#$FWLYH#'LUHFWRU\#
#
54#
2. What migration path best suits this company’s needs? Why?
Upgrade is the best migration path for this company because it is quick
and simple. The current domain model is not complicated, and because
redesigning the existing domain model would require a great deal of
planning and deployment time, upgrade will meet the migration goals
and needs of the company.
____________________________________________________________
____________________________________________________________
____________________________________________________________
