You are on page 1of 13

Lesson 4 - Planning for Migration and Interoperability

ITMT 2456 70-647



Designing support identity and access management components
Plan for domain or forest migration, upgrade, and restructuring.
3.1
Designing support identity and access management components
Plan for interoperability.
3.4

Migrating to Windows Server 2008 R2
Adding computers running Windows Server 2008 R2 to an existing Windows Server 2003 or
Windows 2000 Server network as member servers does not require any special planning or
preparation.

Migrating to Windows Server 2008 R2
However, if you are planning to upgrade existing servers to Windows Server 2008 R2, there
are certain limitations.
In-place upgrades to Windows Server 2008 R2 are permissible from Windows Server 2003
SP2, Windows Server 2003 R2, or Windows Server 2008, as long as the platform,
architecture, edition, and language are the same.
You can upgrade across editions if the Windows Server 2008 R2 edition is the same or higher
than its precedent.

Migration Paths
A directory service migration is the process that takes you from a source directory, that is, your
current Active Directory infrastructure, to a target directory, which is a Windows Server 2008
R2 AD DS infrastructure.
There are three possible migration paths from the source to the target, as follows:
o Domain upgrade migration
o Domain restructure migration
o Upgrade-then restructure migration

Selecting a Migration Path
One of the first steps in the planning process is to decide which migration path you want to
use.
Some of the criteria you should use to make that decision are as follows:
o Design
o Time
o Budget
o Productivity
o Manpower

Migrating Objects
All migrations that include a domain restructuring require administrators to copy or move
objects between domains, or possibly between forests.
Active Directory Migration Tool (ADMT) is a free package from Microsoft that can migrate
objects with or between forests, and includes a modeling mode that enables you to try out
sample designs before committing to them.

Upgrading a Domain
To upgrade to Windows Server 2008 R2, you must, you must modify the schema of your
existing Active Directory installation.
o Prepare the forest
adprep /forestprep
o Prepare the domain
adprep /domainprep /gpprep
Then you can upgrade one of the domain controllers to Windows Server 2008 R2 or install a
new Windows Server 2008 R2 domain controller.

Change Schema Master Dialog Box

Adprep /forestprep Command

Operations Master Dialog Box



Adpep /domainprep /gpprep Command


Restructuring a Domain
As mentioned earlier, in a domain restructure migration, you create at least one new Windows
Server 2008 R2 domain and copy or move your existing objects into it.
Because you are moving objects individually, you can place them in different domains and
organizational units, creating an entirely different AD DS hierarchy for your network
There are two basic types of domain restructure:
o Interforest
o Intraforest
Interforest Migration
In an interforest migration, you create a new Windows Server 2008 R2 forest (pristine forest).
In this model, the source domain remains unmodified because the only connection between
the source and the target domains is a trust relationship, and trusts can exist between forests
using different versions of Windows Server.

Intraforest Migration
In an intraforest migration, you create a new domain in the same forest as your source domain
and copy or move objects between the two.
However, you cannot create a Windows Server 2008 R2 domain in an existing Windows
Server 2003 or Windows 2000 Server forest.
Therefore, you must upgrade your existing forest to Windows Server 2008 R2 first, and then
perform the restructure.

Performing an Interforest Migration
An interforest domain restructure migration does not require the schema preparation that a
domain upgrade does, because you are not adding to or modifying the source domain in any
way.
The steps involved in performing the migration:
o Creating a Prestine Forest
o Creating Interforest Connections
o Installing Active Directory Migration Tool
o Enable Auditing
o Decommissioning the Source Domain

DNS Secondary Zones for Interforest Communication


Create Trusts Between Forests
Audit Policy Container

Order of Migration
To preserve all of the object attributes and to place all of the objects in the appropriate
destinations, you must migrate the objects in the correct order, as follows:
1.Groups
2.Users
3.Computers

Migration Groups - Group Selection Page

Migration Groups - Object Properties Exclusion Page


Migration Groups - Conflict Management Page

Migration Groups - Migration Progress Page


Migrating Users Password Options

Understanding Cross-Forest Authentication
Every object in an Active Directory or Active Directory Domain Services database has a unique
security identifier (SID).
AD DS uses SIDs internally to identify objects.
No matter what migration tool or mechanism you use, when it creates new objects in your
target domain, AD DS assigns new SIDs to them.
The sIDHistory attribute contains all of the former SIDs by which the object has been known.

Migrating Computers
After migrating your users and groups, you can proceed to migrate the computers other than
the domain controllers in your source domain.
Because the member servers and workstations in your source domain are actual physical
resources, the migration process is somewhat more complicated than it is for logical objects,
such as users and groups.
Computer will require a reboot

Migration Computers Translate Objects Page

Performing an Intraforest Migration
An intraforest migration consists of both the domain upgrade and domain restructuring
procedures described in this chapter.
After upgrading your forest to Windows Server 2008 R2, you can restructure it by creating new
domains and using ADMT to migrate your objects from source to target within the same forest.

Planning for Interoperability
Interoperability issues typically occur in two ways:
o Users outside the organization have to access the enterprise network
o There are non-Windows computers inside the enterprise that have to access Windows
resources.
Windows Server 2008 R2 includes a variety of tools that address these issues.

Active Directory Federation Services
Active Directory Federation Services (AD FS) is a service that can extend the boundaries of an
AD DS environment to users in a partner enterprise.
AD FS is an identity federation solution that is essentially a different type of trust relationship
between two entities.
o A federation trust relationship enables one AD DS network to trust the user accounts in
another AD DS network.
o This provides cross-forest authentication capabilities for the two enterprises.
AD FS is a Windows Server 2008 R2 role that functions together with Active Directory Domain
Services or Active Directory Lightweight Directory Services (AD LDS).
To establish a federation partnership between two organizations, each must have an AD FS
server with the Federation Service role service installed.
Administrators then join these two servers together in a federation trust, which enables users
in one enterprise to send authentication requests to resource servers in the other enterprise.
The role services for the AD FS role:
o Federation Service The primary AD FS service that authenticates users and issues
them security tokens
o Federation Service Proxy An intermediate service, located on a perimeter network,
that provides secured Internet access to the Federation Service on an internal server
o AD FS Web Agents Runs on web servers hosting various types of applications,
processing the security tokens generated by the Federation Service


The Account Partner
The AD FS architecture designates one side of the federation as the account partner and the
other side as the resource partner.
The account partner requires a server running the Federation Service role service, which in
turn requires access to the AD DS or AD LDS directory.

The Account Partner Side of an AD FS Federation


Federation Claims
Because the account partner side is where the users are located, the Federation Service on
that side is responsible for authenticating the users against the AD DS or AD LDS database.
The service also gathers federation claims which are certain agreed-upon attributes from the
user accounts, such as group memberships and packages them in a security token, which it
sends to the resource partner.

Resource Partner
The resource partner side of the federation contains the same basic components an internal
server running the Federation Service role service and a perimeter server running the
Federation Service Proxy role service but the tasks they perform are slightly different.
When the Federation Service receives the security token from the account partner, it first
confirms that the partner is trusted.
Part of the configuration process on both sides of the federation consists of identifying the
other partner and the account store or resource involved in the trust.

The Resource Partner Side of an AD FS Federation


Federated Web Server
A federated web server has one of the AD FS web agents installed on it, which takes the form
of an ISAPI extension in IIS.
The web agent is the consumer of the security tokens generated by the resource partner
Federation Service, granting the user the access specified by the claims in the token.
Windows Server 2008 R2 includes two web agents: one for current applications that know how
to handle claims and one for applications that are not claims-aware.

Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS) is essentially a subset of Active
Directory Domain Services that provides basic services for directory-enabled applications that
do not require a full domain and forest infrastructure.
AD LDS is included with the Standard, Enterprise, and Datacenter versions of Windows Server
2008 R2, using the Full or Server Core installation option.

Planning UNIX Interopeability
Windows Server 2008 R2 includes a number of roles and features that enable computers
running UNIX operating systems to interact with Windows services, and enable computers
running Windows to access UNIX services.

Services for Network File System
In the UNIX world, standard file sharing is done with the Network File System (NFS).
As a result of this open standard, virtually all UNIX distributions available today include both
NFS client and server support.
To accommodate organizations that have heterogeneous networks containing both Windows
and UNIX computers, Windows Server 2008 R2 includes the Services for Network File System
role service, which provides NFS Server and NFS Client capabilities.

Creating NFS Shares
When you install the Services for Network File System role service in the File Services role,
the system adds an NFS Sharing tab to every volume and folder on the computers drives.
To make a volume or folder accessible to NFS clients, you must explicitly share it, just as you
would for Windows network users.

NFS Sharing Tab of a Folders Properties Sheet


Obtaining Users and Group Information
UNIX operating systems have their own user accounts, separate from those in Windows and
AD DS.
To prevent NFS clients running on UNIX systems from having to perform a separate logon
when accessing NFS shares, the Windows Server 2008 R2 NFS Server implementation can
look up the user information sent by the client and associate the UNIX account with a particular
Windows account.
In UNIX, when a user successfully authenticates with an account name and password, the
operating system assigns him or her a user identifier (UID) value and a group identifier (GID)
value.
The NFS client includes the UID and GID in the file access request messages it sends to the
NFS server.
NFS Server supports two mechanisms for obtaining user and group information, as follows:
o Active Directory lookup
o User Name Mapping

UNIX Attributes tab of User Objects Properties Sheet

Identity Management for UNIX
While Services for NFS is designed to provide UNIX clients with access to Windows resources,
Identity Management for UNIX is a role service of the Active Directory Domain Services role
that is intended to integrate computers running Windows into a UNIX infrastructure.

Network Information Services
Network Information Service (NIS) is directory service that many UNIX distributions use as a
repository for user and group information.
Unlike AD DS, NIS is a simple directory that is neither hierarchical nor object-oriented.
The Server for Network Information Services role service enables an AD DS domain controller
running Windows Server 2008 R2 to assume the role of the master NIS server for your
network, presumably replacing a UNIX server.

NIS Data Migration Wizard
Password Synchronization
UNIX systems maintain their own user accounts, separate from those in AD DS and on
standalone Windows servers.
For enterprises with users that must access both Windows and UNIX resources, maintaining
these accounts in synchrony can require a great deal of administrative effort.
The Password Synchronization role service automates this task by detecting password
changes in AD DS or Windows and sending those changes to selected UNIX systems using
encrypted messages. After adding the role service, you can add UNIX computers in the
Microsoft Identity Management for UNIX console.

Add Computer Dialog Box for Password Synchronization


Password Synchronization
The Password Synchronization role server provides the Windows side of the service, but you
must also install the correct components on your UNIX systems before synchronization can
occur.
To synchronize passwords on UNIX computers with changes to Windows user accounts, you
must install the Password Synchronization daemon on the UNIX systems.

You Learned
In-place upgrades to Windows Server 2008 R2 are permissible from Windows Server 2003
SP2, Windows Server 2003 R2, or Windows Server 2008, as long as the platform,
architecture, edition, and language are the same.
In a domain upgrade migration, you either upgrade one of the existing domain controllers in
your source domain to Windows Server 2008 R2 or install a new domain controller running
Windows Server 2008 R2 into the domain.
An upgrade-then-restructure migration is a two-phase process in which you first upgrade your
existing forest and domains to Windows Server 2008 R2 and then restructure the AD DS
database by migrating objects into other domains within the same forest
In an interforest migration, you create a new Windows Server 2008 R2 forest called a pristine
forest because it is in no way an upgrade from your existing directory and copy or move
objects from your source domain into it.
In an intraforest migration, you create a new domain in the same forest as your source domain
and copy or move objects between the two.
Active Directory Migration Tool is a wizard-based utility that enables you to perform both
interforest and intraforest migrations.
Interoperability issues typically occur in two ways: either users outside the organization have to
access the enterprise network or there are non-Windows computers inside the enterprise that
have to access Windows resources.
Active Directory Federation Services is an identity federation solution that enables one AD DS
network to trust the user accounts in another AD DS network.
The administrators on the account partner side designate an AD DS or AD LDS directory as
the account store and maintain the user accounts that require access to the resources hosted
by the resource partner.
The resource partner side of the federation contains the same basic components as the
account partner, but the Federation Service receives the security token from the account
partner, confirms that the partner is trusted, and creates another token for the web server
hosting the application.
AD LDS is essentially a subset of Active Directory Domain Services that provides basic
services for directory-enabled applications that do not require a full domain and forest
infrastructure.
To accommodate organizations that have heterogeneous networks containing both Windows
and UNIX computers, Windows Server 2008 R2 includes
The Services for Network File System role service provides NFS Server and NFS Client
capabilities. An NFS server exports part of its file system, and the NFS client integrates the
exported information, a process called mounting, into its own file system.
Identity Management for UNIX is a role service of the Active Directory Domain Services role
that is intended to integrate computers running Windows into a UNIX infrastructure.
Network Information Service (NIS) is directory service that many UNIX distributions use as a
repository for user and group information. Unlike AD DS, NIS is a simple directory that is
neither hierarchical nor object-oriented.