In-Depth

Server Migration: Moving from Here to There

Migrating servers, users and resources from Windows NT to Windows Server 2003 was a big challenge for our fictional hero. We review a number of third-party tools to help ease his pain.

Editor’s note: Names and places are the product of the authors’ imagination, and any resemblance to actual persons is purely coincidental.

Like many shop managers using Windows NT, Donald P. Apscot, MCSE and IT manager for T&T Corp., hasn’t moved off the platform yet. But NT is on its way out. With a little over a year left for support, now’s the time for T&T to move to Windows Server 2003.

With some 1,200 users and more than 1,000 PCs scattered across the country, the migration won’t be easy. The project is already underway, with a migration testing lab that duplicates most of the elements of the production environment. The migration will cover four major activities:

 Security principal migration. Migrating users and computers from the NT Security Accounts Manager (SAM) database to Active Directory.

 Member server migrations. Migrating all services found on member servers including file, print, management and other services. This includes special products such as Exchange, Site Server, and other BackOffice services.

 PC migrations. Migrating PCs from obsolete operating systems such as Windows 98 and NT to Windows XP. This will involve capturing and restoring user data and preferences or profiles.

 Application migrations. This involves conversions or redevelopment of both rich client and Web-based in-house applications.

The migration will be eased with a parallel network. Users and data will move from the old to the new network (see Figure 1), and all server and workstation installations will be clean. This way, T&T can take full and immediate advantage of all of XP/Windows 2003’s native features. And users in either network can share applications and services during the project.

T&T will start with the security principal migration. If this environment is set up the right way, Don can migrate user and computer accounts, as well as groups, at his own pace.

Migrating from legacy to parallel environment
Figure 1. To migrate users from the legacy network to the parallel environment and to allow users in both networks to access shared resources in either environment, Don needs to establish a two-way trust between the master domain in NT and the production domain in the AD forest.

T&T narrowed the field of migration tools to four choices: NetIQ Domain Migration Administrator (DMA), BindView bv-Admin for Windows Migration, Aelita Domain Migration Wizard (DMW), and Quest Migrator. Several of the products actually come in suites, but for now, T&T is only interested in the domain migration aspects.

Tests will hone in on three areas:

 The ability to generate reports about an existing environment before performing a migration;

 The ability to test out a migration before actually performing it; and,

 The migration itself, to see if the products perform as advertised.

The T&T Testing Environment

Source domains: TANDT, TANDT_RES
Target domain: Intranet.TandT.net
Source domain model: Single master domain, plus resource domain
No. of user accounts: 1,255
No. of disabled user accounts: 97
User accounts with expiry
dates: 197
Valid user accounts: 961
User accounts with logon
restrictions: 151
No. of privileged accounts
in NT: 100

No. of privileged accounts in
target: 5
No. of global groups: 10
No. of local groups: 10
No. of computer accounts: 1,045

Security Principal Testing Prerequisites
The testing domains were created by restoring a backup from one of the NT domain controllers of each domain within the lab. Time was also taken to prepare the testing Active Directory environment. Using AD best practices, T&T Corp. created an empty forest root domain named TandT.net and created a single global child domain for the production environment called Intranet.TandT.net. IT also made the following preparations:

  1. The NT machines all include service pack 6a as well as the Microsoft RPC patch (Microsoft Security Bulleting MS03-010).
  2. The Windows Server 2003 machines also include the Microsoft RPC patch.
  3. The Windows Server 2003 forest includes two domains, the forest root and the production child domain. Both domains are set to Windows Server 2003 native modes, but the forest is not yet converted.
  4. To make sure NT and AD will speak to each other, IT took the time to cross over DNS addresses from one environment to the other, creating a Windows Server 2003 entry in NT and creating the NT entry in Windows Server 2003.
  5. A two-way trust was set between the TandT (NT) and the Intranet.TandT.net (Windows Server) domains.
  6. Since the Windows NT System Key (Syskey.exe) has been applied to all DCs in the single master domain, IT had to add a new backup domain controller without the encryption key in the lab to allow some of the tools to read NT passwords. Since there is little load on this machine, an old PC was powerful enough for this role.
  7. T&T wants to perform the migration from the target domain, but to do so, IT needs local administrative rights on each machine in the source domain. There are several ways to do this—for example, IT could run a command on each machine to add an administrative account from the target domain to the local administrators group—but T&T wants to do it with the least amount of effort. First, IT added the Domain Admins group from Intranet.TandT.net to the Administrators group in the TANDT domain and added the Domain Admins group from TANDT to the Administrators domain local group in the Intranet.TandT.net domain. This gives cross-over administrative rights at the domain level. Next, IT uses a Run As command in the target domain to execute the migration tools with the Administrator credentials from the TANDT domain. This automatically gives local administrative rights on each machine in the source domains.

Product Information

Aelita Domain Migration Wizard
$12 per user
Aelita
www.aelita.com

BindView bv-Admin for
Windows Migration

$9.95 per user
BindView
www.bindview.com

NetIQ Domain Migration
Administrator
$3 per user, $6 per user for suite
NetIQ
www.netiq.com

Quest Fastlane Migrator 6.0
$10 per user
Quest Software
www.quest.com

NetIQ Domain Migration Administrator
First up is Domain Migration Administrator from NetIQ. NetIQ built Microsoft’s Active Directory Migration Tool. DMA is similar to ADMT, but with more bells and whistles.

The installation went smoothly; since it’s an MSI package, it will be easy to uninstall to proceed with other tests. Once installed, DMA proved quite easy to use. The migration interface clearly lists the steps to perform, and their order (see Figure 2). Each migration can be performed live or through the creation of a migration project. One advantage of using a project instead of a direct migration is that projects support single object undos or rollbacks. If a single user is migrated that shouldn’t have been, you can simply roll back this user to the original domain.

DMA includes pre-migration tasks such as analyzing the source domain environment to discover just how many security principals are valid and how many are obsolete (some organizations simply disable accounts and never actually remove them from the SAM). These reports help determine if the SAM needs to be cleaned up as objects migrate from NT to AD. DMA also supports migration testing for each project, helping identify issues with the project before performing the actual migration.

NetIQ Domain Migration Administrator
Figure 2. NetIQ Domain Migration Administrator provides a step-by-step approach to migrations, making it the simplest tool to use. (Click image to view larger version.)

DMA can migrate users individually or through groups. When you choose a Global or Local group, DMA offers to include all the group’s users during the migration. If your group strategy in NT is well designed, you can migrate users on a group-per-group basis, and target the appropriate organizational unit (OU) in AD. DMA lets you create or modify the OU structure as you prepare a migration project, so it doesn’t have to be prepared beforehand. It’s a very good idea, though, to plan and prepare the OU structure in advance; this isn’t something you want to do on the fly. DMA also supports the migration of security identifier (SID) history, a key element of any migration.

DMA migrates passwords from NT to AD with ease, though it doesn’t seem to verify password validity for the target domain. In a Windows 2003 domain, password complexity is enabled by default with a minimum password length of seven characters. However, DMA let Don migrate accounts with non-complex passwords that used fewer than seven characters. What’s worse, these users were able to log into the new intranet domain with their inadequate password without any errors.

DMA is a solid tool, but if T&T picks this product, Don will have to rethink his password migration strategy.

BindView bv-Admin for Windows Migration
Bv-Admin for Windows Migration, BindView Corp.’s flagship migration product, also installs as an MSI package. It proposes two products for Windows migrations: The first migrates security principals, and the second migrates Windows resources (files and folders, printers, profiles and more). Migration projects can be charted through templates. And though several templates are available for resource migrations, none are provided for security principal migrations (see Figure 3). Bv-Admin also supports migrations through the use of projects. Migrating groups will include the accounts they contain, just as with NetIQ’s DMA.

BindView bv-Admin
Figure 3. BindView bv-Admin uses two major tools to perform Windows migrations. The first migrates security principals. This tool is supported by a series of utilities such as the Password Copy utility. The second migrates Windows resources. (Click image to view larger version.)

Because its list of prerequisites is quite daunting (Service Pack 6a, the Directory Services Client for NT, and much more), bv-Admin shouldn’t be installed in the source domain if that domain is an NT environment. It’s easier to install bv-Admin in the destination domain, since Windows 2003 already includes most prerequisites for the tool to function. Password migrations are supported, but migrating passwords is a separate activity and must be performed after migrating accounts. Bv-Admin is quite resource intensive, one reason BindView recommends limiting migration projects to no more than 2,000 users or 50 PCs at a time (migrating a single PC took more than two hours). If the source domain is AD instead of NT, bv-Admin requires that the Password Export Server (PES) tool from Microsoft’s ADMT Version 2 be installed. Otherwise, it won’t be able to read passwords. In addition, bv-Admin recommends changing default settings in Windows 2003 to create more than 10 accounts during a migration, something not done lightly. [This paragraph contains a corrected statement that isn't reflected in the print issue.—Editor]

Bv-Admin’s features are extremely comprehensive, but far from intuitive. Migration setup was complex and not always evident. Fortunately, bv-Admin can automate the process through the SIDHistory Configuration tool. Though there is no mention of Windows 2003 in the tool, it worked mostly well in this environment.

Aelita Domain Migration Wizard (DMW)
Aelita’s Domain Migration Wizard (DMW) offers all the features required to perform a directory migration. However, Don had to use two Aelita tools to achieve his goals because DMW doesn’t include reporting by itself. Instead, reporting is handled by Aelita’s powerful Enterprise Directory Reporter (EDR). EDR can not only report on all aspects of the directory, but also perform a comprehensive hardware and software inventory of the entire network, making it useful even after the migration. EDR requires either Microsoft’s desktop database engine (MSDE) or a full version of SQL Server to operate.

DMW, on the other hand, requires the Microsoft Access 2000 runtime, because each migration project is stored in its own database. Undo level is only supported for an entire project. With DMW, you can begin a migration, stop it in the middle, and start it over again exactly where it was stopped. This is the only product that provides this feature. Though the interface isn’t as intuitive as NetIQ’s, DMW includes a Quick Tour of the product, letting users rapidly learn what steps are required to migrate (see Figure 4).

Aelita Domain Migration Wizard
Figure 4. Aelita uses four steps to perform a migration. Each is available in the Migration menu located in the toolbar. Each migration is treated as a project, though only one project can be loaded in the interface at a time. (Click image to view larger version.)

DMW proposes four simple steps towards a migration—migrate users, groups and computer accounts; support the interaction of users in both the source and target environment; deactivate source accounts; perform directory cleanup operations. DMW fully supports the migration of SID history. It also uses a nifty approach to the migration of computers from one domain to another, simply replacing key Registry entries to move the system from the source to the target domain without requiring a reboot. Computer migration, however, requires you to either have all systems turned on before the migration, or provide the Aelita Agent Manager with a list of systems. If the latter is chosen, Agent Manager will continue to retry systems that are turned off until they’re turned on again.

DMW comes with a thorough resource kit with all sorts of utilities, including a tool that demotes NT domain controllers to member servers.

Though DMW provides comprehensive reporting through the ERD, it doesn’t support migration testing. It supports migration through groups, though not in a very intuitive way. In fact, Don missed this feature in his first tests and was only able to find it after researching the documentation. The product is powerful and feature complete, but not intuitive. And DMW doesn’t install as an MSI, using an outdated setup. Though it’s understandable that Aelita doesn’t want to invest further in this product, as it’s aimed at NT and the company has a new AD-focused tool, converting the install would be a good idea.

Quest Fastlane Migrator
Quest Fastlane Migrator is also an MSI installation, providing a quick and simple installation process. Once installed, Migrator is easy to use. When launched, it automatically displays the Migration Project interface, giving clear instructions on how to proceed. Don didn’t even need the user manual to begin his first migration testing project. Quest presents each aspect of a migration project in a step-by-step format. For Quest, three steps are required: First, migrate accounts and groups; next, update resources such as computers and servers; finally, clean up the directory.

Each task includes clear and detailed instructions presented in the details pane of Migrator’s Project Microsoft Management Console (MMC) interface (see Figure 5). For reports, you have to close the project you’re working on and use the NT Reporter from the Migrator console. NT Reporter can report on a variety of objects in the NT domain: users, computers, groups, NTFS permissions and more. Since it’s slow, it may be a good idea to launch and let the report run through the night if your network includes several thousand objects. There seems to be no way to limit the number of user accounts analyzed by this reporting tool. Once complete, the report is quite detailed. Reports are stored within MSDE or SQL Server, which need to be installed prior to the Migrator installation.

Quest Migrator
Figure 5. Quest Migrator provides an intuitive interface that outlines the steps required for a migration. For Quest, only three steps are required. (Click image to view larger version.)

Migrator comes with a resource kit with several useful tools. One of these is the DC Mover, which migrates DCs from source domains to target domains without losing any of the permissions stored on the server. This is great for multipurpose DCs that also host file and print services. The resource kit also includes a Laptop Updater, designed to create migration jobs that can be run when laptops aren’t connected to the network. The Remote Update can also run jobs remotely without having to install an agent on the remote computer. The SIDHistory Mapper can remap SIDs to accounts that have been previously migrated without history.

The only drawback of Quest Fastlane Migrator is that it must use the ADMT Password Export Server to be able to handle password migrations, requiring the installation of a special server to support this aspect of the migration (see online review of ADMT). The PES software is included on the Quest CD. Despite this, Don found Migrator to be a feature-rich product with an intuitive interface that makes migrations easy for newcomers and experienced users alike.

Managing SID History
Each account created in a Windows domain is given an individual security identifier (SID). The SID is a number that is randomly generated when a security principal— a user or computer account, a security group—is created. Though people deal with account and group names, Windows works with the SID. When a user creates or modifies objects in a network, it’s the SID that is associated with the object, not the user’s name. When you migrate a security principal from one domain to another, you assign a new SID to the security principal.

As all a user’s data is associated with the SID that represents the user at the time an object is created, all of a user’s data in the source network will be associated with the user’s legacy SID. When you transfer this data to the new network, you must use a special technique that will either carry over the user’s legacy SID or translate the SID on the object to the user’s new SID (the one generated by the new network). Active Directory includes an attribute called SIDHistory. This attribute retains the user’s legacy SID when the user account is migrated. This way a user has access to objects created in the source network even if they have been migrated to the target network (this also requires a tool that can migrate files and folders but retain the original SIDs). Once the objects are migrated, you need to remove the SID history.

The best way to do this is to use SID translation. This operation removes the original SID from an object’s properties and applies the new SID. Once this is done, you can remove the user’s SID history attribute. This helps create a more secure network because malicious users could use the SID history attribute to gain unauthorized access to resources.

—Danielle Ruest and Nelson Ruest

Don’s Final Evaluation
To prepare his final report, our fictional IT manager tabulated all the results of his product tests and placed them in a comparative table (Table 1). This gave him an overview of the technical capabilities of each product. He then calculated the cost for each migration tool based on the information provided by each respective product manufacturer. This was as simple as multiplying the number of users accounts (1,255) Don needs to migrate by the cost per user. The results were extremely varied. Quest Fastlane Migrator was $12,550; the Aelita Controlled Migration Suite was $15,060; bv-Admin for Windows Migration was $12,487.25; and NetIQ Domain Migration Administrator was $3,765.

For Don, the decision was very easy. Even though it was not his first choice, he opted for NetIQ Domain Migration Administrator because it was the easiest to support in his business case. In fact, he decided to recommend the acquisition of the entire NetIQ Migration Suite because for a total of $7,530, he would not only get the Domain Migration Administrator, but also the Server Consolidator as well as Exchange Migrator.

Don was disappointed that Quest Fastlane Migrator was so expensive (more than $12,500), because he really liked its approach to migration, providing clear, concise steps for each phase of the project. Its reporting capabilities were also quite acceptable, but it will be impossible for Don to make a business case that recommends Quest Fastlane Migrator, when NetIQ provides most of the same functionality for a much lower price.

He may, however, decide to acquire Aelita’s Enterprise Directory Reporter on its own since he was thoroughly impressed by its directory reporting and inventory features—features that could be useful in the new network.

BindView’s bv-Admin supported all three of T&T’s testing goals—reporting, testing and migrating—as well as single object undoes. The cost of bv-Admin, however makes it difficult to justify. Don has decided that for less than the cost of a new server, he can acquire the NetIQ Migration Suite, giving three useful migration tools for his migration today and still be useful for the support of other operations later.

Table 1. Migration Tool Evaluation
Activity Aelita Controlled Migration Suite BindView bv-Admin for Windows Migration NetIQ Domain Migration Administrator Quest Fastlane Migrator
Profile Translation Support
Print Migration
MMC Taskpad
Multiple Domain Support
MSI Installation
SID History Support
SID History Cleanup
Migration Reporting
Migration Testing X
User Settings Support
Documentation Format PDF, Compiled Help PDF, Compiled Help Word, Compiled Help PDF, Compiled Help
Database Support Access 2000, MSDE, or SQL Access Access SQL or MSDE
Delegation of Migration Task
Two-way Trusts Required
Move to Specific Destination (OU)
Capacity to Create an OU during the move
Undo Capability At the session level At the object level At the object level for projects At the object level
Resource Kit  X
Tutorials or Quick Start Guides  Tutorial Knowledge Base
Support for Migration Project
Source Domains NT, 2000, 2003 NT, Proprietary NT OUs, 2000, 2003 NT, 2000, 2003 NT, 2000, 2003
Target Domains NT, 2000, 2003 NT, 2000, 2003 NT, 2000, 2003 NT, 2000, 2003
Scripting support VBScript X VBScript, JScript With support from Professional Services Group
Command-line support  Obtain from Tech Support  Obtain from Professional Services Group
Legend:
 Provides full functionality
 Provides partial functionality
X Does not provide any functionality

Additional Information
 For more information on the parallel network migration approach, see Windows Server 2003, Best Practices for Enterprise Deployments, by Ruest and Ruest (Osborne McGraw-Hill, 2003, ISBN: 007222343x)

 Windows Server 2003 Pocket Administrator, by Ruest and Ruest (Osborne McGraw-Hill, 2003, ISBN: 0072229772)

 Microsoft Security Bulletin MS03-010: http://www.microsoft.com/
technet/treeview/default.asp?url=/technet/security/bulletin/
MS03-010.asp


 Windows NT System Key application: http://support.
microsoft.com/default.aspx?scid=kb;en-us;143475


 Adding more than 10 computer accounts to
a domain: http://support.microsoft.com/default.aspx?scid=kb;
EN-US;251335


 Migrating accounts while using SID History: http://www.microsoft.com/technet/treeview/default.asp?url=/
technet/prodtechnol/windowsserver2003/proddocs/
deployguide/dssbi_reer_ggoc.asp?frame=true


 Aelita’s Tips and Tricks Guide to Windows 2000 and Active Directory Administration: http://www.aelita.com/Reg/Marketing/ebook/ebook.asp

 Active Directory Migration Tool, version 2.0: http://www.microsoft.com/downloads/details.aspx?
FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

Featured

comments powered by Disqus

Subscribe on YouTube