Windows 2000 AD Site Migration
... The purpose of this document is to outline some of the tasks and coordination required to migrate a Site to Company production Active Directory Forest. This is not meant to be a structured process listing all of the associated details since each site will be different and have its own requirements and priorities for completing the various migration steps. This document is meant to be a project level checklist that can be used as a starting point for a Site Migration project. The document begins by briefly discussing each of the steps involved in migrating a Site. Next, examples of typical site server architecture and a migration sequence are described. Lastly, the document discusses who is responsible for the various tasks and the cost associated with using the enterprise migration tool. The Appendices include additional information about Company Active Directory Architecture, suggested Windows 2000 Domain Controller specifications, and file server migration. Site Migration This section describes the various steps required to migrate a Site from Windows NT to Company Enterprise-wide Active Directory Forest. ... The main areas of concern in Site migration are listed below and each is described in the following sections. • Active Directory authentication • Active Directory site infrastructure • User migration • Desktop computer migration • Resource permissions • Server migration • Local domain retirement Active Directory Authentication Authentication is an integral part of networking security. ... • Install a Windows 2000 server • Allow server Dynamic DNS registrations o Ask the Network Team to modify DNS permissions to allow this server to dynamically register resource records. • Promote the server to a domain controller Active Directory Site Infrastructure Each site will require permissions to fully administer all objects in their site. In the Company’s Active Directory Forest, this is achieved by creating an Organizational Unit (OU) for each site and delegating permissions to the site administrators to administer it. ... The Active Directory uses Sites (not to be confused with a Company site) to segment network traffic. Active Directory Sites are associated with IP subnets and help in locating AD services. ... These tasks must also be completed before any users can be migrated to the AD. • Create location OU o Create the sub OUs o Create a local Administrative group for the location OU o Assign Permissions to all OUs • Create an AD Site • Create an AD Site Link User Migration At most sites users either have an account in the local Windows NT domain, or for small sites, have an account in the COMPANY domain. Part of the user migration process is to create a new user account in the appropriate AD domain and have the user use the new account to logon. ... Some of these tasks include migrating the groups that a user is a member of, and allowing the new AD account to access the user’s Exchange mailbox. Another aspect of user migration is migration of the desktop to Windows 2000 and migration of the computer to the AD domain. The final task that is discussed here is migration of the user’s desktop profile; so the user can have the same desktop without having to recreate it from the default desktop. ... • Migrate user NT accounts to AD • Migrate NT security groups to AD • Migrate desktops to Windows 2000 • Create computer accounts in AD • Migrate the user logon profile o Migrate the users local NT profile to the user’s new AD account so they have the same desktop when logging on with the AD account. ... • Give the new AD account access to the user’s Exchange mailbox Desktop Computer Migration One of the most time consuming aspects of the Windows 2000 migration process is in migrating the desktops to Windows 2000. Migrating desktops can be done at any time, but users are usually moved to the Windows 2000 operating system before or at the same time they begin using their new Active Directory account. If desktops are migrated before an AD domain controller is available in the site, then the Windows 2000 desktop can be a member of the NT 4 domain. If the Desktop migration is the only item that is holding up the local domain retirement then the NT 4 desktops can be made members of the AD domain. The local user’s NT 4 logon profile can either be migrated through the migration tool or can simply be copied to the user’s new AD logon profile. Resource Permissions Once the User Migration tasks are complete the user account will have the equivalent configuration to the old NT account but it still will not be able to access any shares. ... At this point in the migration the ACEs all refer to the users’ old NT account. The migration tool is used to go through all of the files in all of the shares that a user has access and add an ACE that refers to the users’ new AD account.