Migrating to Windows Server 2003, Active Directory, And Exchange 2003

8/10/2019 Migrating to Windows Server 2003, Active Directory, And Exchange 2003

1/232


2/232

i

Contents

Chapter 1 The Windows Server System:Featuring Windows Server 2003 and Exchange Server 2003 . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introducing Windows Server System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2The Windows Server 2003 Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Web Edition: Not just the small kid on the block . . . . . . . . . . . . . . . . . . . . . . . . 3

Evaluating Windows Server 2003s Directory Service Improvements . . . . . . . . 3Upgrading to AD from NT 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Upgrading to Windows Server 2003 AD from Windows Server 2000 . . . . . . . . . . . . . 6

Technology and Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Manageability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

AD administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Group Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Command line tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Overview of Windows Server 2003 Deployment and Migration . . . . . . . . . . . . 10Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The Windows Catalog: HCL on steroids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Application compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Compatibility tools and resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Upgrade vs. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Migrating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Security IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Repermissioning resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

SID History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15A common solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Evaluating Exchange Server 2003s New Capabilities and Features . . . . . . . . . . 16Exchange Server 2003 Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Retired Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Manageability Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Antispam Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Backup Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Mobile Access: OWA, OMA, and RPC Over HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . 19

New Features for the Outlook Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Books
http://www.windowsitlibrary.com/Ebookshttp://www.windowsitlibrary.com/Ebookshttp://www.netiq.com/


3/232

An Overview of Exchange Server 2003 Deployment and Migration . . . . . . . . . 24Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24OS Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Optimized for Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Interoperability with Exchange Server 2000 and Exchange Server 5.5 . . . . . . . . . . . . . 25

Mixed Mode vs. Native Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Coexistence and Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Installation and Deployment Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Upgrading from Exchange 2000 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Migrating from Exchange Server 5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

ii


4/232

iii

Contents

Chapter 2 Active Directory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

A Brief Overview of Key Active Directory Elements . . . . . . . . . . . . . . . . . . . . . . 30

Forest Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Forest Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Forest Design Tenets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

A single forest is the most straightforward design . . . . . . . . . . . . . . . . . . . . . . . . 33A forest shares common security enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . 33A forest indicates and requires ownership of forest data and service . . . . . . . . . . 33A forest implies strong levels of trust between administrators

of each domain within the forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33A forest implies high levels of collaboration between administrators

of each domain within the forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34A forest implies high levels of collaboration between users in various

domains in the forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Evaluating Forest Design Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Forest service and data ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Administrative complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Cross-forest trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Metadirectory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Domain Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Domain Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Administrative boundry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Data boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Authentication boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37User account security policy boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Policy-based administration boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Domain Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Single domain model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

A dedicated forest root domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Single global child domain model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Multiple domain models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Evaluating Domain Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Divergent security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Minimizing replication traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Data isolation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Data autonomy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Books
http://www.windowsitlibrary.com/Ebookshttp://www.netiq.com/http://www.windowsitlibrary.com/Ebooks


5/232

iv

DNS Namespace Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Typical DNS Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Subdomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

A .local domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Interoperating with Existing DNS Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . 43NetBIOS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44UPS Suffixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

OU Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441. Collect objects sharing common administration . . . . . . . . . . . . . . . . . . . . . . . . . . 452. Collect objects sharing similar configuration, application, or security settings . . . . . . 453. Collect objects for visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Site Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

The Functions of Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Server Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Forest-wide operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Domain naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Schema maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Domain operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Relative Identifier assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Infrastructure master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

PDC Emulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Placement of Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Forest operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Domain operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50


6/232

v

Contents

Chapter 3 Migration Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Assembling the Planning and Migration Team . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Identifying the Big Picture Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Migration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Training IT Staff and End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Auditing the Existing Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Auditing the Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Auditing the Directory Services Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Auditing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Auditing Applications and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Auditing Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Auditing Clients and the User Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Getting Help in the Auditing Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Planning Active Directory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Evaluating Upgraded vs. Restructure Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Planning the Migration Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Evaluating DCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Identifying Opportunity for Server Consolidation and Reappropriation . . . . . . . . . 65Evaluating Server Migration Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Books


7/232

vi

Contents

Chapter 4 Migration Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Overview of Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Domain Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Domain Restructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Resource Access During and After Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

A review of security fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69The effect of domain restructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Security translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70sIDHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Understanding ADMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Other Consideration in a Domain Restructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Deploying the New Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Delegate the DNS Zone for the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . 74Install the First DC in the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Install Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Install Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Post-installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Install Additional DCs in the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configure Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Complete the Installation of the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . 78Complete Additional Domains in the Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Preparing the Migrate with ADMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Establishing a two-way trust between the source and target . . . . . . . . . . . . . . . . 80Establishing migration credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Installing ADMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Preparing the target domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Preparing the source domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

A nifty shortcut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Preparing to migrate passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Preparing the target domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Generating the encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configuring the PES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Books


8/232

vii

Using ADMT to Migrate from Windows NT Server 4.0 toWindows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Migrating or Recreating Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Identifying Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Migrating Global Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Remigrating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Creating a Group Mapping and Merging Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Builtin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

A Summary of Group Migration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Migrating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

User account properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Migrating Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Migrating servers and workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Translating Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Creating a SID mapping file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Translate Local User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Migrating Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Establishing appropriate trust relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Migrating shared local groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Processing group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105When to migrate shared local groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Migrating service accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Decommissioning DCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Advanced Migration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Third-Party Migration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

High-level features to evaluate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Support for complex environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Project-based migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Monitoring and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Roll-forward and rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Email migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Desktop migration features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Desktop upgrade or deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Terminal Server profile support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Security translation in complex environments . . . . . . . . . . . . . . . . . . . . . . . . 111Migration cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Other features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Migration Services and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113


9/232

viii

Contents

Chapter 5 Maintaining Windows Server 2003in a Post-Migration Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Preparing for the Administration of Windows Server 2003 . . . . . . . . . . . . . . . . 114Native Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Customize the Location of the Administrative Tools Folder . . . . . . . . . . . . . . . . . 114

Install the Full Suite of Native Administrative Tools . . . . . . . . . . . . . . . . . . . . . . 115Introduction to the Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . . . . 116Familiar Snap-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Tools Relocated to the MMC Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117New Snap-ins and Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Super Consoles with Multiple Snap-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Creating Simple Customized Consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Create a Simple Customized MMC Snap-in . . . . . . . . . . . . . . . . . . . . . . . . . . 118Other Important Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Support Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Group Policy Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Resource Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Service-Specific Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring Remote Desktop for Administration . . . . . . . . . . . . . . . . . . . . . . 121Enable Remote Desktop for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 122The Client Side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Install the Remote Desktop Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Managing RDCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122End a Users RDC to a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Configure Remote Desktop Session Behavior . . . . . . . . . . . . . . . . . . . . . . . . 123

Using Alternate Credentials (aka Secondary Logon or Runas) . . . . . . . . . . . . . . . . . . 123Run a Program with Administrative Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 124Other Run As Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Important Notes About the Runas Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Models for Providing Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Active Directory Administration 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Create a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Manage a User Object or Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Unlock a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Books


10/232

ix

Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Create a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Group Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Distribution Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Group Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Domain Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Global Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Universal Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Nesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Adding Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Computer Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Creating Computer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Create a Computer Object or Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Manage a Computer Object or Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Joining to a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Join a Computer to a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Managing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Installing the GPMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Group Policy Terminology and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135GPOs and the GPO Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

GPO Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Security Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

WMI Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138GPO Precedence and Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Resultant Set of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Creating and Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Default Domain Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Default Domain Controller Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Member Server and Workstation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Managing File and Folder Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Default Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Configuring Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Add a Security Principal to the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Blocking Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Block Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Reinstating Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Reinstate Inheritance on an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Reset Permissions to Enforce Inheritance from a Parent Folder . . . . . . . . . . . . 146


11/232

x

Effective Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146File Permissions Override Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Permission Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Implicit No Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Allow Permissions Are Cumulative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Deny Overrides Allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Explicit Permissions Override Inherited Permissions . . . . . . . . . . . . . . . . . . . . . . 147Evaluating Effective Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Best Practices for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Other Guidance on What Is New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Help and Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Microsoft IE Enhanced Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Shadow Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Disaster Planning and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Monitoring DC Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Third-Party Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151


12/232

xi

Contents

Chapter 6 Planning an Exchange Server 2003 Migration . . . . . . . . . . . . . .152

Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Intraorg or Interorg? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152In-Place Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Front-End Servers vs. Back-End Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Standard or Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Exchange and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156The Active Directory Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

The Exchange System Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Client Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Books


13/232

xii

Contents

Chapter 7 Installing Exchange Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . 165

Pre-Installation Considerations for Exchange Server 2003 . . . . . . . . . . . . . . . . . 165

Performing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Post-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Exchange Server Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Migrating From Exchange 5.5 To Exchange 2003 . . . . . . . . . . . . . . . . . . . . . . . . 182Phase One: Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Phase Two: Prepare Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Phase Three: Installing Exchange Server 2003 on the Initial Server . . . . . . . . . . . . . . 186The Easier Road: Exchange Server Migration Wizard . . . . . . . . . . . . . . . . . . . . . . . . 187

SP1 for Exchange Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

The Grand Finale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Books


14/232

xiii

Contents

Chapter 8 Managing Exchange Server 2003 . . . . . . . . . . . . . . . . . . . . . . . 195

Common Administrative Chores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Outook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Implementing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Avoiding Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Migration, Administration, and Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Books


15/232

1

Chapter 1

The Windows Server System:Featuring Windows Server 2003 andExchange Server 2003

IntroductionWelcome to Migrating to Windows Server 2003, Active Directory, and Exchange Server 2003, an

eBook brought to you by NetIQ and Windows & .NET Magazine. This book answers the followingburning questions about Windows Server 2003 and Exchange Server 2003:

Why should I migrate?

How can I prepare to migrate?

What are the best practices in performing a migration?

What do I need to bear in mind after migrating?

Our goal is to provide you with a straightforward, practical guide to help answer migrationquestions specific to your environment. Well try to cut through the marketing hype and spin so youcan identify what really matters. And well bring with us the experience weve gleaned from migrating

organizations large and small to Active Directory (AD) and Exchange Server.This book focuses solely on migrations from previous Windows OSs, such as Windows 2000

Server, Windows NT 4.0, Exchange Server 2000, or Exchange Server 5.5. We will not examinemigration from other directory services or messaging systems. Chapter 1 provides an overview of theproducts and the broad topics related to migration. This chapter provides insights into the new 2003platform features so you can determine whether Windows Server 2003 and Exchange Server 2003 areright for you. We also introduce some key issues related to migration of the directory service andmessaging system. Chapters 25 provide details regarding migration to Windows Server 2003 and ADand Chapters 68 highlight migration to Exchange Server 2003.

Throughout this book, we assume you have experience with Windows platformsthis book is

not for Dummies. We present straightforward concepts as succinctly as possible and touch lightlyon common and familiar concepts. When we reach core topics, we focus on them. These core topicsmight be new to Windows Server 2003 and Exchange Server 2003 or might be complicated subjectsfrom earlier versions that our experience has shown are not well understood by IT professionals.

We will guide you to resources that provide additional details. Microsoft certainly provides someof the most useful resources, specifically:

the Windows Server 2003 home page athttp://www.microsoft.com/windowsserver2003

the Windows Server 2003 technology center of the TechNet site athttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/default.asp

the Exchange Server 2003 home page athttp://www.microsoft.com/exchange

Brought to you by NetIQ and Windows & .NET MagazineeBooks
http://www.microsoft.com/windowsserver2003http://www.microsoft.com/technet/prodtechnol/windowsserver2003/default.asphttp://www.microsoft.com/exchangehttp://www.microsoft.com/exchangehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/default.asphttp://www.microsoft.com/windowsserver2003


16/232

the Exchange Server 2003 technology center of the TechNet site athttp://www.microsoft.com/technet/prodtechnol/exchange

In addition, we remind you of Windows & .NET Magazines superb resources, which havethe distinct advantage of being independent from Microsoft and are available athttp://www.winnetmag.com.

One advantage of an eBook is the dynamic nature of its time-release publishing. By the timeyou receive the final chapter of this eBook, technology will have changed. The technology changesas the market adopts and adjusts to Windows Server 2003 system, as Microsoft rolls its emphasis onpatch deployment and trustworthy computing into Windows Server 2003s first service pack, and asnew technologies such as Microsoft Office System and Windows SharePoint Services enter the market.To get the most benefit from this eBook, you need to regularly visit our eBook update Web site athttp://www.intelliem.com/migrationebook. On that Web site, we will post updates, host discussions,

and provide tools and solutions to support you in your migration efforts.Finally, we discuss the strengths and weaknesses of the native tools: the commands and utilities

that are available in Windows Server 2003 and Exchange Server 2003, including resource kit tools andMicrosoft freebies. Where weaknesses exist, we point out third-party tools and their capabilities. If

your environment is large or complex, you will almost certainly require assistance from third-partytools. Microsoft has tried several third-party tools and in the case of some tools, they liked it somuch they bought the company.In smaller environments you might need only native tools. But

you will need to evaluate the total cost of migrationincluding your time, the likelihood of error,and the cost of erroragainst the cost of reliable, targeted, retail migration tools. We hope to provide

valuable insight into these migration considerations also. With these introductory notes out of the

way, lets pull back the covers from Microsofts latest crown jewel, Windows Server System.

Introducing Windows Server SystemWindows Server System is the brand identity for a large and diverse group of server productsincluding Microsoft Application Center, BizTalk Server, Commerce Server, Content ManagementServer, Exchange Server, Host Integration Server (HIS), Identity Integration Server 2003 EnterpriseEdition (MIIS), Internet Security and Acceleration (ISA) Server, Microsoft Operations Manager (MOM),Project Server, SharePoint Portal Server, Small Business Server (SBS), Speech Server, SQL Server,Systems Management Server (SMS), Storage Server 2003, and yesWindows Server 2003 and even

Windows 2000 Server. If the list includes servers you have not heard of before, dont be surprised.Microsoft has recently unveiled a number of servers specializing in granular enterprise services, and

in the coming months, Microsoft will undoubtedly announce more.In the past few years, Microsoft had problems coming to terms with the identity of its server

lineup. Before its release, Windows Server 2003 was called Windows .NET and Windows .NET Server.Microsoft also was preparing to brand other servers with the .NET identity. However, the marketdidnt understand .NETso Microsoft dropped the identity. But the .NET technologies are still inthe products. .NET encompasses a new architecture for applications and services that facilitateinformation access by a comprehensive assortment of devices and toolsfrom native Windowsapplications running on PCs to next generation phones and smartwatches. Although WindowsServer 2003 encompasses many exciting and valuable components of the .NET vision, it will takeseveral years and more revisions of Windows Server 2003 before the entire OS will be truly .NET.

2 Migrating to Windows Server 2003, Active Directory and Exchange Server 2003

http://www.microsoft.com/technet/prodtechnol/exchangehttp://www.winnetmag.com/http://www.intelliem.com/migrationebookhttp://www.intelliem.com/migrationebookhttp://www.winnetmag.com/http://www.microsoft.com/technet/prodtechnol/exchange


17/232

By then the initiative and its technologies will certainly be called something entirely different, butwe as customers will benefit from the inherent secure nature of .NET code. If for no other reasonthan security, .NET cant come soon enough.

Staying the course of .NET technology, Microsoft branded its server products with a moremarket-friendly identity as Windows Server System with identifiable product names and year-based

version tags.

The Windows Server 2003 FamilyWindows Server 2003 is an incremental, evolutionary revision of the architecture introduced in NTand the significant technologies introduced in Windows 2000 Server. The internal version number of

Windows Server 2003 (i.e., 5.2) tells the tale: Windows 2000 Server is version 5.0 and Windows XPis version 5.1. The Windows Server 2003 family consists of four editions:

Windows Server 2003, Standard Edition

Windows Server 2003, Enterprise Edition

Windows Server 2003, Datacenter Edition

Windows Server 2003, Web Edition

Web Edition: Not just the small kid on the blockEach edition has the same core architecture and shares the vast majority of its code base.However, Microsoft designed each edition to better meet the needs of customer segments withspecific requirements for scalability, service, and hardware platform support. By creating uniquebundles with various scalability and performance, Windows Server 2003 editions, which Table 1.1lists, can meet the business needs of large datacenter customers as well as small businesses.

Every enterprise will want to examine Windows Server 2003, Web Edition as part of itscomprehensive migration plan. This platform delivers Web pages, Web sites, Web applications,and Web services, plus it supports popular technologies such as Active Server Pages (ASP), ASP.NET,and the Windows .NET Framework. Although designed to provide a Linux alternative for Webhosting providers, its competitive pricing also lets organizations migrate existing internal or external

Web servers to a more cost-effective platform. In the past, organizations needed to buy the fullversion of the server platform, even if they didnt use many network services.

With the introduction of technologies such as Software Update Services and Windows SharePointServices, Web servers will likely play an increasingly important role inside enterprises. Given theunique security needs of a Web server, we advise dedicating Web servers so you can update them

quickly and regularly; and in the event of a security breach, non-Web applications, services, and datastores are not jeopardized. You need to consider cost, security, and manageability when you look atserver consolidation versus dedication.

Evaluating Windows Server 2003s Directory Service ImprovementsWith each new release Microsoft says it provides, Better performance, scalability, stability,availability, security, manageability.Youve probably heard it enough times to use it as youromin yoga class.

So what do these words really mean? As the consultant once said, It depends.Windows Server2003 has many enhancements. The relative value of those enhancements to your enterprise depends

Chapter 1 Windows Server System 3



18/232



Table 1.1: Windows Server 2003 Editions

Server Edition Server Role Business Target Scalability and Availability

Windows Server Replaces Windows 2000 Server. Targeted for use in small Provides SMP support for2003, Standard An all-purpose server platform businesses and for up to 4 CPUsEdition that performs diverse roles departmentaluse within Supports a maximum

including Web, application, larger organizations. of 4GB of RAM.database, messaging, and Offers no support for clusteringnetwork service. Supports Supports only x86 processorAD and can act as a DC. systems; provides no support for

64-bit platforms such as thoseIntel Itanium-based systems.

Windows Server Replaces Windows 2000 Targeted for businesses of 32-bit version2003, Enterprise Advanced Server. all sizes, particularly when Provides SMP support for upEdition An all-purpose server platform scalability and availability to 8 CPUs.

that performs diverse roles are a concern. Supports a maximum ofincluding Web, application, 32GB of RAM.database, messaging, and Supports clustering up to 8network service. nodes.Supports AD and can act Supports x86 processor systems.as a DC. 64-bit version

Provides SMP support for up to8 CPUs.Supports a maximum of 64GB ofRAM.Supports Intel Itanium-basedsystems.

Windows Server Replaces Windows 2000 Targeted for data processing 32-bit version2003, Datacenter Datacenter Server. environments consisting Provides SMP support for up toEdition A high-performance, high- of business-critical and 32 CPUs with a minimum of

scalability, and high-availability mission-critical applications 8 CPUs.server platform available only that require superior levels Supports a maximum of 64GBon preinstalled on OEM of reliability, availability, of RAM.systems. and scalability. Supports clustering up to 8

nodes.64-bit versionProvides SMP support for up to64 CPUs.Supports a maximum of 512GBof RAM.Supports Intel Itanium-basedsystems.


19/232

on your current environment and where you want to take that environment. Before we examine thekey new features, let us put in our 2-cents worth of advice: upgrade! We ve seen three enormousbenefits from Windows Server 2003 that affect almost every organization, big and small.

Security. Its true. Windows Server 2003 is significantly more secure, more likely to staysecure, andwill support important security update and patch management technologies that Microsoft will releasein late 2003 and in 2004. Out of the box, Windows Server 2003 is locked down, as you might haveheard. This security is true, important, and not a moment too soon.

Productivity.Windows Server 2003 addresses weaknesses in the Windows 2000 Server technologiesand tools, particularly in AD. We examine many of the productivity changes throughout this book.Most of the enhancements are small, but they add up to significantly reduced pain and increased

productivity for administrators.

Support for new technologies.We believe that SharePoint Services, Microsoft Office LiveCommunications Server (LC Server) 2003, Real Time Communications Server (RTC Server), and theentire Office 2003 System will make a huge difference where it counts for organizations todayin the productivity of every information worker.

Depending on how the market adopts these technologies, we might eat our words byChapter 8s release, but we still assert that the first two reasons are enough to warrant anupgrade as soon as your budget allows. These three benefits provide significant drive to migrate.But you will find dozens more reasons to upgrade, depending on the type of organization youhave, your user population, your security concerns, your network topology, and your server roles.

An exhaustive exploration of all the new features is available in the white paper titled, WhyUpgrade From Windows NT 4.0 to Windows Server 2003 Server 2003athttp://www.microsoft.com/windowsserver2003/docs/NT4toWNET.doc.We found this documentto be informative and recommend that you look it over.

Because this book facilitates the migration of directory services, lets tour the key new featuresand technologies of AD. Take note as to how much return you would expect to get from theimprovements.



Table 1.1: Windows 2003 Editions continued

Windows Server Is the new member of Targeted for Web and Provides SMP support for up to

2003, Web Edition Windows Server System. hosting services and as a 2 CPUs.Can belong to a domain or Windows alternative to Supports a maximum of 2GB ofworkgroup but cannot act as Linux. RAM.a DC. Provides no support forLimited to 10 Server Message clustering.Block (SMB) connections (not Supports only x86 processordesigned for file and print systems.service). Optimized for Webserving functions.
http://www.microsoft.com/windowsserver2003/docs/NT4toWNET.dochttp://www.microsoft.com/windowsserver2003/docs/NT4toWNET.doc


20/232

AD serves as the enterprise directory service for a Windows network. AD centralizes themanagement of identities (e.g., user accounts), the management of information about enterpriseresources, and the security of those resources.

Upgrading to AD from NT 4.0The reasons to upgrade to AD from NT 4.0 domains and their rudimentary directory service, the SAM,are well understood. Enterprises of any size have experienced the pain due to the SAM s limitations,including a limit to how many users and groups it can support, its lack of control over administrativeauthority, the need for multiple domains, and the creation of trust relationships between thosedomains.

A single enterprise AD, called a forest, can support an enterprise of any size. AD supportsmillions of objects per domain and granular delegation of administrative authority within eachdomain, thereby significantly reducing the need for multiple domains within the forest. Elegant and

simple designs consisting of one forest and one or two domains are not uncommon, even inenormous globally dispersed enterprises. We havent heard anyone claim that AD increased his orher total cost of ownership (TCO) over NT 4.0. In fact the enterprises we work with are huge fansof the new directory service, particularly after we educate and train them how to design andimplement AD correctly. You are forewarned: AD is a significant change from NT 4.0, and althoughthis book will provide you with lots of great information to help you migrate, be sure to read,discuss, and learn as much as you can before migrating. AD is not only a replacement for the SAM,but it also acts as a central repository of information about the enterprise, such as information aboutusers, groups, computers, printers, servers, applications, and topology.

Upgrading to Windows Server 2003 AD from Windows 2000 ServerFor organizations currently running Windows 2000 Server as their domain controllers (DCs),

Windows Server 2003s revision of AD provides important and long-awaited enhancements to itssecurity, performance, and manageability.

Technology and functionalityMigration.You can use the AD Migration Tool (ADMT) to migrate users and groups to AD. ADMT2.0 now supports migration to Windows Server 2003 domains, and importantly, lets you migrate userpasswords.

Coexistence.Windows Server 2003 AD DCs, domains, and forests can coexist with DCs running

Windows 2000 Server and NT 4.0 because of the domain and forest functionality levels that WindowsServer 2003 supports. Domain and forest functional levels disable or enable AD features on aper-domain or forest-wide basis to account for earlier version DCs that do not support the extendedfeature set of Windows Server 2003. These functionality levels are similar to the domain modes(i.e., mixed mode, native mode) in Windows 2000 Server environments. Windows Server 2003 ADsupports four different domain functional levels and three different forest functional levels. Each levellets you deploy certain new features, and different levels of interoperability with existing DCs running

Windows 2000 Server or NT 4.0. To use some of the new features listed in this chapter you mustconfigure a domain or forest to a specific functional level. Well highlight those situations and go intomore detail about forest and domain functional levels in Chapters 25.




21/232

Trust relationships.Although most enterprises will need only one AD forest, on rare occasions anenterprise will need a multi-forest model, particularly when two organizations merge and each has anestablished forest. Creating and managing trust relationships between forests was difficult in Windows

2000 Server because you had to establish relationships between every individual domain in eachforest. Windows Server 2003 supports cross-forest, transitive-trust relationships so you can establish asingle trust relationship between the root domains of each forest. Cross-forest trusts require you toconfigure the forests at the Windows Server 2003 forest functional levels.

Name changes. In Windows 2000 Server, you could not rename a domain or change the hierarchicalposition of a domain without first removing AD entirely. Windows Server 2003 supports renamingand repositioning domains after you configure the forest at the Windows Server 2003 forest functionallevel. This enhancement will be particularly useful for enterprises adjusting their networks toaccommodate acquisitions, mergers, name changes, reorganizations, or modifications to their AD

design. Windows 2000 Server was also strict about DC names: you could not rename a DC withoutdemoting it, changing the name, and promoting it again. Windows Server 2003 domains configured atthe Windows Server 2003 domain functional level support renaming DCs without first demoting them.

Branch offices.When a user logs on to an AD domain, a global catalog server must supplyinformation about the users universal group membership. If a global catalog server is not availableand the user is not a member of the domain administrator group, then the user is denied logon.Users at branch offices that have locations separated by WAN links are denied logon due to theinaccessibility of a remote global catalog server when the link is down. So organizations with

Windows 2000 Server environments adopted a best practice of configuring a global catalog server ona DC in each location separated by a WAN link. That practice addressed the risk of denied logon but

increased replication traffic across the WAN link. Windows Server 2003 introduces universal groupmembership caching. This feature lets you specify a DC in a branch office that caches usersuniversalgroup membership and decreases the need for a local global catalog server. A global catalog server isqueried the first time a user logs on at that location, then the DC caches the user s universal groupmembership so subsequent logons do not require access to a global catalog server.

Domain controller installation.Windows Server 2003 lets you use a backup of the domain AD asthe initial data source to promote a DC. This enhancement lets you install a DC in a remote location

without eating up bandwidth as it replicates the entire directory over a WAN connection.

Enhanced partitioning.ADs database is divided into partitions that contain information to supportspecific functionality. For example, the schemapartition defines the types of objects that AD can storeand thereby acts as the blueprint for the forests directory service. Every DC stores a copy of theschema partition. The configurationpartition, which every DC in a forest also stores, contains objectsrelated to sites and services. The domainpartition stores objects for resources in that domain,including users, groups, and computers. Only the DCs in that domain will store and replicate thedomain partition. If the forest contains multiple domains, each domain maintains and replicates itsown domain partitions. The problem is that some information is not necessary for every DC tomaintain and replicate. For example, you can maintain DNS zones in the AD database but unlessevery DC will act as a DNS server for clients in the enterprise, theres no need to replicate the DNS




22/232

data to every DC. Windows Server 2003 introduces applicationpartitions. These AD partitionsmaintain information for one or more specific applications. Administrators can designate which DCs

within a domain or forest will maintain each application partition. This enhancement lets administra-

tors refine replication so that each DC contains only the information it requires to perform its duties.

Improved replication. The many changes to replication will make AD significantly more efficient.Perhaps the most important change is that when you configure a forest at the Windows Server 2003functional level, group membership changes replicate granularly instead of replicating an entire list ofmembers. This latter change is quite significant for performance, security, and manageability.

Schema functionality.AD now lets you redefine or deactivate schema attributes and object classes.This provides organizations a way to correct for errors or retire unused schema objects. Schemachanges also no longer force a complete replication of the global catalog.

Active Directory Application Mode.ADs robust, efficient LDAP-compatible directory service makesit an attractive data store for many applications. However, for an application to use AD, it often mustmake modifications to the directorys schema so the directory can store new attributes or objects.Schema modification, as we discuss in later chapters, is serious business. Many businesses shy awayfrom installing AD aware applications, which is unfortunate because integration with enterpriseapplications is one of the best features of a real directory service. Microsoft listened and came up

with Active Directory Application Mode (ADAM), which installs AD as an application, rather than aservice. This means you can have one or more discrete instances of AD running on a serverandthat server doesnt need to be a DC! For more information about ADAM, go to Microsofts Web pageathttp://www.microsoft.com/windowsserver2003/adam.

ManageabilityMicrosoft provides enhanced tools and snap-ins with Windows Server 2003. The company hopes toaddress some of its strongest criticisms of its version 1.0 administrative tools with these enhancements.

AD administration

AD Users and Computers now lets you:

Select multiple objects simultaneously.

Drag objects to a new location such as a different container, organizational unit (OU), or group.

Modify common properties of multiple objects simultaneously. For example, you can now select

multiple user accounts and change the user profile location for all of them.

In addition, the Microsoft Management Console (MMC) snap-in now hosts a Saved Queriesfolder. Unlike the Find command available in both Windows Server 2003 and Windows 2000 Server,Saved Queries lets you define an AD query, save it, and run the query again at any time. Forexample, you can create a saved query that displays all disabled user accounts in the domain. When

you need to monitor disabled accounts, simply run the saved query and the results will show you thestatus of user accounts across every OU in the domain.


http://www.microsoft.com/windowsserver2003/adamhttp://www.microsoft.com/windowsserver2003/adamhttp://www.microsoft.com/windowsserver2003/adamhttp://www.microsoft.com/windowsserver2003/adamhttp://www.microsoft.com/windowsserver2003/adam


23/232

Group Policy management

An entirely new and incredible MMC snap-in called Group Policy Management Console (GPMC)centralizes and facilitates the creation, linking, application, and analysis of Group Policy Objects

(GPOs). In Windows 2000 Server, you can only administer GPOs from the Properties dialog boxof a site, domain, or OU, and the UI made it difficult to locate and understand options related tothe application and functioning of the GPO. GPMC, as Figure 1 shows, provides a single interface

with drag-and-drop functionality to let an administrator manage Group Policy settings acrossmultiple sites, domains, or even forests. Some of the capabilities of GPMC include the ability toback up, restore, import, and copy GPOs, while providing an intuitive reporting interface that showsGPO deployment. Using this tool an administrator can easily determine which GPOs apply to agiven domain, the configuration of inheritance settings, and which users or groups have the ability tomanage these objects. The GPMC snap-in is available for download fromhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspx.

Figure 1:The Group Policy Management Console

The Resultant Set of Policy (RSoP) tool is also a long-awaited addition to the Group Policyadministrative toolset. Determining what settings will, in the end, drive the user or computerenvironment can be extraordinarily complex because you can apply Group Policy to sites, domains,and OUs; you can filter Group Policy by security group membership and WMI queries; you can

disable Group Policy in part or in whole; you can block or enforce Group Policy; and you can applyGroup Policy to users or computers. RSoP lets you determine settings, as well as troubleshoot GPOapplication and plan what-ifscenarios to evaluate the Group Policy impact of moving a user orcomputer between AD containers.

Command line toolsWindows Server 2003 provides additional flexibility and opportunity for automation thanks to itsnew arsenal of command line utilities. In the Group Policy arena, the gpresult command producesan analysis of RSoP from the command prompt and the gpupdate command forces updates of


http://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspx


24/232

GPOs. These utilities replace and enhance the GPO functionality of Windows 2000 Server s seceditcommand. The secedit command still exists in Windows Server 2003, but its functionality focuses onsecurity templates.

Almost every service, including Microsoft Internet Information Server (IIS), Dfs, NTBackup, TaskScheduler, Terminal Services, SharePoint Services, and AD, offers command-line management tools.

AD commands are particularly impressive, allowing administrators to query, add, modify, remove, andmove AD objects from the command line.

Overview of Windows Server 2003 Deployment and MigrationPerhaps after reading the above information, reviewing various resources available from Microsoft,and evaluating the new features, technologies, and capabilities of Windows Server 2003, you havedetermined it is time to move to Windows Server 2003. Chapters 25 provide significant detailregarding migration to Windows Server 2003 (particularly to AD) from Windows 2000 Server and

NT 4.0. But a few topics warrant an introduction and others deserve detail at this early stage.

Hardware RequirementsAmong your first tasks is evaluating your hardware and budget for appropriate upgrades andreplacements. Each time Microsoft releases a new version of the platform, it releases minimum systemrequirements related to processor, memory, and disk space necessary for the OS to function. Table1.2 summarizes the published minimum requirements for the Windows Server 2003 family.

Table 1.2: Minimum Windows Server 2003 Requirements

Standard Edition Enterprise Edition Datacenter Edition Web EditionMinimum CPU speed 133MHz 133MHz (x86) 400MHz (x86) 133MHz

733MHz (Itanium) 733MHz (Itanium)Recommended minimum 550MHz 733MHz 733MHz 550MhzCPU SpeedMinimum RAM 128MB 128MB 512MB 128MBRecommended minimum RAM 256MB 256MB 1GB 256MBMaximum RAM 4GB 32GB (x86) 64GB (x86) 2GB

64GB (Itanium) 512GB (Itanium)SMP support Up to 4 Up to 8 Minimum 8 Up to 2

Maximum 64Disk space for setup 1.5GB 1.5GB (x86) 1.5GB (x86) 1.5GB

2GB (Itanium) 2GB (Itanium)

Hardware minimums are an interesting beast because they represent more-or-less the bare bonerequirements for the OS to function. Testing has shown that the OS can install on somewhat lesscapable platforms but it might not function well or function for any business purpose. Recommendingsystem hardware requirements without knowing how the system will be used (e.g., the services it willrun, the demand those services will be put under) is nearly impossible. You mustevaluate yourcurrent serversperformance, then account for growth and scalability of both the services performedby each system and the type and quantity of users and transactions of each system.




25/232

System CompatibilityIn addition to evaluating a system against published minimum requirements and current and futureneeds, you must also ensure, before installing any edition of Windows Server 2003, that the server shardware and the applications it will support are compatible with Windows Server 2003.

The Windows Catalog: HCL on steroidsTo facilitate hardware compatibility evaluation, Microsoft publishes the Windows Catalog, formerlycalled the Hardware Compatibility List (HCL). An online, searchable version of the Windows Catalogis available athttp://www.microsoft.com/windows/catalog/server/.

The catalog is a directory of Windows Server 2003 compatible hardware that Microsoft s WindowsHardware Quality Labs (WHQL) tested and approved. The Windows Catalog is dynamic and growsregularly over the lifecycle of the OS as vendors develop new hardware and Microsoft tests andcertifies it for compatibility.

Devices that pass the hardware compatibility tests are given the following benefits: designation with the Designed for Microsoft Windows Server 2003logo

listing in the Windows Catalog

Microsoft signed drivers that can be installed without intervention

driver updates distributed through Windows Update

Keep in mind that Microsoft performs the compatibility certification and its labs are not a charity.Companies must pay for Microsofts compatibility testing, and some companies simply dont. Thus adevice or application notlisted in the Windows Catalog can, in fact, be compatible. You will oftenneed to rely on the vendors statements regarding compatibility and weigh those statements againstthe risk that the device or application might not be quite as compatible as the vendor asserts.Similarly, although a device listed in the Windows Catalog is likely to perform as desired, you mustnevertheless perform adequate testing to ensure that you wont have surprises given the uniquecombination of hardware and applications in your environment.

Application compatibilityAlthough most administrators are aware of the need to evaluate hardware compatibility, I have seenfar too many administrators underestimate the importance of verifying application compatibility. Anew resource exists to facilitate the evaluation of applications. Microsoft has partnered with VeriTestto perform compatibility analyses of third-party applications. The result is the Catalog of Certified

Server Applications available athttp://cert.veritest.com/CfWreports/server. In the near future, theWindows Catalog will list certified applications along with the hardware devices.

VeriTest examines stability, manageability, and security. The applications that meet its demandingstandards earn the Certified for Microsoft Windows Server 2003 logo. VeriTest is the only labauthorized to perform these analyses. Although Microsoft sometimes seems not to be listening tocustomers (except the biggest ones), the high-level requirements for application compatibilitydemonstrate that Microsoft understands the pain we face in the trenches.


http://www.microsoft.com/windows/catalog/serverhttp://www.cert.veritest.com/CfWreports/serverhttp://www.cert.veritest.com/CfWreports/serverhttp://www.microsoft.com/windows/catalog/server


26/232

Certification Standards for Standard Edition are

Windows fundamentals

no unplanned downtime driver verification

correct installation

no restarts

support for smart card log on

secure desktop

secure network communication

security templates

graceful degradation that does not bring down services

no user UI for services running as LocalSystem

Certification Standards for Enterprise Edition are all Standard Edition requirements, plus

no cluster vulnerabilities

compatibility with virus scanning

test for crash recovery

appropriate resource use

Certification Standards for Datacenter Edition are all Enterprise Edition requirements, plus

ability to run on 8-processor or 32-processor systems

stability testing under stress

driver verification under stress and driver interface stress testing

test for crash recovery under stress

availability of debug symbols or tools

round-the-clock support availability

Supplementary and Optional Certifications are

optimized for use with AD services

optimized for use with Terminal Services technologies

optimized for manageability

Applications that meet these high-level requirements as well as significantly more detailedspecifications receive the Certified for Microsoft Windows Server logo, which indicates that anapplication is likely to perform as desired. As with hardware, you must also perform testing toevaluate an applications compatibility with your environment. In many instances, third-party softwarecompanies and in-house developers wont have submitted their applications to VeriTest, so you mustrely on their assertions of compatibility and their support policies in the event something goes wrong.




27/232

Compatibility tools and resourcesWindows Server 2003 includes diagnostic and configuration utilities to help automate the evaluationof compatibility. Before upgrading a server to Windows Server 2003, you need to run WindowsUpgrade Advisor, which using a wizard-driven interface analyzes the current hardware and softwareenvironment of the server, compares the information it gleans to the Windows Catalog, and reportsany compatibility concerns it identifies.

After you insert a Windows Server 2003 CD-ROM and the graphical setup program loads, youcan select the Check System Compatibility link, and then select the Check My System Automaticallylink to access the Upgrade Advisor tool. You can also launch Upgrade Advisor from the commandline by issuing the command

cd-rom:\i386\winnt32.exe /checkupgradeonly

As we previously mentioned, confirmation of compatibility by the Upgrade Advisor is a goodindicator but is not a substitute for your own testing. Similarly, a report of a compatibility problemdoesnt mean a device or application wont function perfectly well in your environment.

Upgrade vs. MigrationTo move from a Windows 2000 Server or NT 4.0 domain, you need to update your current directoryservice. Depending on your business needs, functional requirements, and environment, you canchoose from two upgrade paths: upgrading existing DCs and servers or performing clean installationsthat involve migrating data, applications, and settings.

Windows Server 2003 supports upgrades from Windows 2000 Server and NT 4.0. Companies thatchoose to upgrade believe upgrading is the simpler process because it lets the directory maintainexisting user accounts, settings, groups, rights, and permissions. Upgrading also can avoid the need toreinstall applications. We provide details about upgrading later in the book and you will see that theperception of simplicity is quite distant from the reality. To perform a complete and clean upgrade,

you need to perform many preparatory and follow-through steps that make it not so simple after all.Our experience is that upgrading is effectiveit works. However, upgrading is generally best

only in situations where the environment is very straightforward or migration needs to take place atan extremely rapid pace. The most underestimated disadvantage of upgrading is that it does notencourage a complete and thorough inventory and examination of the IT environment. Thereforeupgrading does not encourage rethinking the role and processes of IT to better leverage and reflectnew directory service driven enterprise technologies.

True migration requires you to introduce a new system (in this case a new server with a newdirectory service) into the environment and move all relevant components to the new system. Assuch, you can theoretically migrate from any other platform to Windows Server 2003 with the righttools. Microsoft provides ADMT to facilitate migrations from Windows 2000 Server and NT 4.0.Third-party companies produce applications to migrate from Netware, Bindview, and other directoryservices.

Because migration provides a clean start, you receive a guarantee that misconfigurations, bugs,and other problems wont carry over from old system to the new system. Given Windows Server2003s impressive security, this guarantee is an important consideration; you don t want to risk




28/232

increasing security vulnerability by carrying over pathetic configurations from NT 4.0 or evenWindows 2000 Server.

UpgradingTable 1.3 describes the supported upgrade paths from Windows 2000 Server and NT 4.0 Servereditions to Windows Server 2003 editions. Note that you cannot upgrade to Windows Server 2003,

Web Edition from any earlier platform.

Table 1.3: Windows Server 2003 Supported Upgrade Paths

Standard Edition Enterprise Edition Datacenter EditionNT Server 4.0 X XNT 4.0, Terminal Server Edition X XNT Server 4.0, Enterprise Edition X

Windows 2000 Server X XWindows 2000 Advanced Server XWindows 2000 Datacenter Server X

Be aware that to upgrade to Windows Server 2003 from any NT 4.0 edition, you must installService Pack 5 (SP5) or later. Also note that Windows Server 2003 doesn t support direct upgradesfrom NT versions earlier than NT 4.0. As such, an upgrade from NT 3.51 first requires you to upgradeto Windows 2000 Server or NT 4.0, then upgrade again to Windows Server 2003. In such cases, aclean installation is almost always the better choice.

The basic process of upgrading is to simply insert the installation CD-ROM and let the SetupWizard upgrade the system. In an NT 4.0 domain, you begin with the PDC, then upgrade the BDCs.

In a Windows 2000 Server domain, the order is not as important. To perform a clean and completeWindows Server 2003 upgrade of a domain, the steps are somewhat more complex, and we explainthem later in this book.

MigratingMigration is typically a more complex process but with significant return on effort. By carefullyevaluating, planning, testing, piloting, and implementing a migration, your organization will benefitfrom a well-documented, well-thought-out enterprise network. Such a network will align with andsupport business strategies and will adapt and flex with the business as its needs and functionalrequirements change over time. These are significant strategic benefits to migrating, although difficult

to quantify.The most important consideration in migration is the management of identities and security

permissions. Although we explore this topic in depth in coming chapters, you need to understandthe major thrust of the issue.

Security IDsWindows directory services (in Windows Server 2003, Windows 2000 Server, or NT domains)maintains identity information about security principals. Security principals are identities that you canassign logon rights, system privileges, or permissions to resources such as files and printers. The mostcommon security principals are users, groups, and computers. Windows Server 2003 adds a new




29/232

security principal, inetOrgPerson, for compatibility with other directory services. A security principalsidentity informationrefers to attributes in the directory that describe and enable it; you probably referto this as an account. For example, a user object in AD includes the properties, such as username

and password, which let the directory authorize a user. So while a user object in AD is an account, itis also much more because it contains information including phone numbers, managers and directreports, organizational information, and email addresses.

What identifies a security principal is a unique number, the SID, assigned to a newly createdobject. Each security principal (i.e., user, group, computer, and inetOrgPerson) has a SID unique inthe domain. That SID appears on ACLs that define resource access permissions for files, folders,printers, registry keys, and much more.

When you migrate an account from an earlier version (i.e., Windows 2000 Server or NT 4.0)domain to a Windows Server 2003 domain, you create a new security principal in the WindowsServer 2003 AD and populate that objects attributes with the attributes (e.g., name, username,

password, home directory) from the account in the earlier version domain. All the important attributeswill copy except the SID, which the new directory service creates.Therefore a user can log on to the new domain with the same username and password. But

after receiving authorization, that user receives a SID from the new domain, and that SID won t allowaccess to resources previously secured using the old accounts SID. The same thing happens forgroups. So you can end up with a situation where the new directory service looks like it maintainsthe same user and group accounts as the old domain, but nobody can access resources that theyaccessed in the old domain. You can choose from two methods to address what would otherwisebe a disastrous problem.

Repermissioning resourcesThe first method is to repermissionresources, which replaces permissions that point to accounts inthe old domain with permissions that refer to the appropriate security principals in the new domain.

Although repermissioning resources results in a completely clean migration, with no vestiges ofaccounts or SIDs from the old domain, it can be extremely complex, time consuming, and subjectto error.

SID HistoryThe second method uses an attribute for security principals called sIDHistory. Windows Server 2003

AD supports this attribute, which stores SIDs from previous accounts. When you migrate a useraccount from a Windows 2000 Server or NT 4.0 domain, you can elect to copy its SID into the

sIDHistory attribute of the security principal in the new domain. When the user logs on, their identitythen consists not only of SIDs from the new domain user account and the groups to which the userbelongs but also of the SIDs from the sIDHistory of the user and group objects. Then, when the userattempts to access a resource that contains permissions on the ACL referring to the old domain SID,the SIDs from the SID history allow access at the same level as before.

This method is a creative and effective solution to the challenge of migrating identities. Thedisadvantage is that this method leaves behind engorged security tokens (the collection of SIDs andsIDHistories) and with resources that are secured with old identities. In other words, you have a bitof bloat remaining.




30/232

A common solutionMany organizations use sIDHistory to provide the user with an uninterrupted experience and tomaintain security and resource access levels after migration. Over time they repermission resources torefer only to the SIDs in the new domain, then after completing the repermissioning, remove the SIDhistories of security principals.

These processes are intensive but luckily many tools, particularly from third-party vendors suchas NetIQ, Aelita, or Quest can help. We examine the factors that might lead you to use of one ormore of these tools in Chapters 25.

Evaluating Exchange Server 2003s New Capabilities and FeaturesExchange Server 2003 is the latest release of Microsofts widely adopted messaging and groupwareplatform. In 1996 Microsoft introduced Exchange Server 4.0 to replace its aging Microsoft Mail (MSMail) product. The initial Exchange Server release ran on NT Server 3.51. Throughout the next

several years, Exchange Server became a popular messaging system for large, medium, and smallorganizations worldwide. In February 1997, Microsoft released Exchange 5.0, which ran on NT 4.0and 3.51. Then in November 1997, Exchange Server came of age as a mature, robust messaging andgroupware solution. Exchange Server 5.5 supports messaging databases over 16GBs and offerssupport for 2-node active and passive clustering. Exchange Server 5.5 introduces other importanttechnology such as support for IMAP4, the Deleted Item Recovery server-side feature, the Outlook

Web Access (OWA) client, and server-side event scripting.In October 2000, Exchange 2000 Server entered the market. This Exchange Server edition doesnt

maintain its own directory. Instead, Exchange 2000 Server relies completely on Windows 2000 ServerAD for its directory service

Documents

Migrating to Windows Server 2003, Active Directory, And Exchange 2003