Professional Documents
Culture Documents
Migration Guide
Prepared by
Microsoft
Version 1.0.0.0 Baseline
First published
17 March 2008
Prepared by Microsoft
Copyright
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England.
Engl Intellectual Property
Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise
exer
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.
Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registered
registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Disclaimer
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in
time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.
Page ii
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
TABLE OF CONTENTS
1 Executive Summary ................................................................................................
................................ ....................................................... 1
2 Introduction ................................................................................................................................
................................ .................................... 2
2.1 Value Proposition................................................................................................
................................ ...................................................... 2
2.2 Knowledge Prerequisites ................................................................................................
.......................................... 2
2.2.1 Skills and Knowledge ................................................................................................
.......................................... 2
2.2.2 Training and Assessment ................................................................................................
.................................... 3
2.3 Infrastructure Prerequisites ................................................................................................
...................................... 3
2.4 Audience ................................................................................................................................
................................ ................................... 3
2.5 Assumptions ................................................................................................
................................ ............................................................. 3
4 Envision ................................................................................................................................
................................ .......................................... 5
4.1 Active Directory Overview ................................................................................................
........................................ 5
4.2 Initial State Environment ................................................................................................
........................................... 5
4.2.1 Public Domain Active Directory Migration Guidance ..........................................................
................................ 6
4.2.2 Microsoft Healthcare Platform Optimisation Active Directory Migration Guidance
Gu ............. 6
4.2.3 Technology Scenarios ................................................................................................
......................................... 7
4.3 End State Environment ................................................................................................
............................................. 9
5 Plan ................................................................
................................................................................................
............................................... 10
5.1 Migration Type ................................................................................................
................................ ........................................................ 10
5.1.1 New Active Directory or In-Place
In (Upgrade) Migration .....................................................
................................ 11
5.1.2 Direct or Phased Migration ................................................................................................
................................ 12
5.2 Evaluating the Existing Environment ................................................................
...................................................... 12
5.3 Scope of Migration ................................................................................................
................................ .................................................. 13
5.3.1 Users ................................................................................................................................
................................ ................................. 14
5.3.2 Groups ...............................................................................................................................
................................ ............................... 15
5.3.3 Computers ................................................................................................
................................ ......................................................... 15
5.3.4 Printers ..............................................................................................................................
................................ .............................. 17
5.3.5 Data ................................................................................................................................
................................ ................................... 17
5.3.6 Login Scripts ................................................................................................
................................ ...................................................... 17
5.4 Migration Process ................................................................................................
................................ ................................................... 18
5.4.1 Manual Migration ................................................................................................
................................ ............................................... 18
5.4.2 Automated Migration ................................................................................................
......................................... 18
5.5 Migration Tools Available ................................................................................................
....................................... 18
5.5.1 Migrating from Microsoft Operating Systems ................................................................
.................................... 18
5.5.2 Migrating from Novell NetWare Operating Systems .........................................................
................................ 22
Page iii
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
6 Develop ................................................................................................................................
................................ ......................................... 27
6.1 Windows NT 4.0 Domain or Active Directory Migration .........................................................
................................ 27
6.1.1 ADMT Prerequisites ................................................................................................
.......................................... 27
6.1.2 Installing ADMT ................................................................................................
................................ ................................................. 35
6.1.3 Enabling Password Migration................................................................
............................................................ 38
6.1.4 Configuring ADMT ................................................................................................
................................ ............................................. 41
6.1.5 ADMT Option File and Include File ................................................................
................................................... 46
6.2 Novell NetWare Migration ................................................................................................
....................................... 49
6.2.1 Microsoft SfN Prerequisites ...............................................................................................
............................... 49
6.2.2 Installing Microsoft Services for Netware ................................................................
.......................................... 53
6.2.3 Directory Synchronisation Using MSDSS ................................................................
......................................... 56
6.2.4 Password Synchronisation Using MSDSS ................................................................
........................................ 60
7 Stabilise ................................................................................................................................
................................ ........................................ 61
7.1 Migration Test Process ................................................................................................
........................................... 61
7.1.1 Pilot ................................................................................................................................
................................ ................................... 61
7.2 Reviewing Log Files................................
................................................................................................
................................................ 62
7.2.1 Microsoft
crosoft Migration Logs ................................................................................................
................................... 62
7.2.2 Novell Migration Logs ................................................................................................
........................................ 62
Page iv
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
1 EXECUTIVE SUMMARY
The Active Directory Migration Guide will help accelerate the planning and subsequent migration to
® ® ®
Microsoft Windows Server 2003 Active Directory within a healthcare organisation,
organisation and help
bring about a reduction in diversity of server operating systems.
1
The Active Directory Design Guide provides a healthcare organisation with the information
required to design a new Active Directory infrastructure. This document (Active
Active Directory Migration
Guide) provides guidance and current best practice specific to the healthcare industry for the
planning and creation of an Active Directory migration solution.
This document includes guidance for a healthcare organisation migrating from the following:
®
Microsoft Windows NT Server 4.0 domains
®
Microsoft Windows 2000 Server
Se Active Directory
Microsoft Windows Server 2003 Active Directory
®
Novell Directory Services (NDS) 4.x, 5.x and 6.x
1
Active Directory Design Guide {R1}::
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirecto
Page 1
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
2 INTRODUCTION
At present, healthcare organisations typically use one of a number of solutions available for user
authentication and providing access to resources. Should a healthcare organisation wish to deploy
Active Directory within their environment, they need to first ascertain how the users, computers,
applications, data and other resources will be migrated
migr across.
This document is a component of the strategic Microsoft infrastructure guidance provided through
Microsoft Healthcare Platform Optimisation.
Optimisation. It provides current best practice guidance, sample
scripts and specific design decision recommendations on migrating to Microsoft Windows Server
2003 Active Directory from a number of different network operating systems.
systems
Page 2
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
2.4 Audience
The guidance
dance contained in this document is targeted at a variety of roles within the healthcare IT
organisations. Table 1 provides a reading guide for this document, illustrating
illustrating the roles and the
sections of the document that are likely to be of most interest. The structure of these
the sections is
described in section 3.1.
Executive
Summary
Envision
Stabilise
Develop
Operate
Role Document Usage
Plan
IT Manager Review the relevant areas within the document to
understand the justification and drivers, and to develop an
understanding of the implementation requirements
2.5 Assumptions
The guidance provided in this document assumes that healthcare organisations that want to share
services and resources between sites already have suitable Internet Protocol (IP IP) Addressing
schemes to enable
nable successful site-to-site
site communication (that
that is, unique IP Addressing schemes
assigned to each participating healthcare organisation with no overlap).. Active Directory and the
underlying Domain Name System (DNS) require the use of unique IP Addressing schemes at
adjoining sites for cross-site
site communication to function successfully. The use of NAT (Network
Address Translation) within an Active Directory environment is neither recommended nor supported
by Microsoft.
Page 3
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
2
Microsoft Solutions Framework Core Whitepapers {R2}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b fc886956790e&DisplayLang=en
3
MOF Executive Overview {R3}: http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx
Page 4
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
4 ENVISION
The Envision phase addresses one of the most fundamental
fundamental requirements for success in any
project: unification of the project team behind a common vision. There must be a clear vision of
what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a
high-level view of the overall
all goals and constraints, will serve as an early form of planning,
planning and sets
the stage for the more formal planning process that will take place during the planning phase.
Figure 2 acts as a high-level
level checklist, illustrating the sequence of events that should be
undertaken when envisioning an Active Directory migration within a healthcare organisation:
organisation
Active Directory
Overview
Microsoft Healthcare
Public Domain
Initial State Platform Optimisation
Active Directory
Environment Active Directory
Migration Guidance
Migration Guidance
End State
Environment
Microsoft Windows
Technology Microsoft Windows NT
2000/2003 Active Novell Netware
Scenarios 4.0
Directory
Page 5
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
4
Migrating from Windows
ows NT Server 4.0 to Windows Server 2003 {R4}:
http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0 19544062A6E6&displaylang=en
5
Designing and Deploying Directory and Security Services {R5}:
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315 8cae1b593eb11033.mspx
6
ADMT v3 Migration Guide {R6}:
http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770
.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en
01E9F7EF7342&displaylang=en
7
SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide {R7}:
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
8
Microsoft Word document available
ilable for download from Solution for Migrating File, Print, and Directory Services from Novell
NetWare to Windows Server 2003 {R8
R8}: http://go.microsoft.com/fwlink/?LinkID=46606
9
Solution for Migrating File, Print, and Directory Services from Novell NetWare to Windows
Windows Server 2003 {R9}:
http://technet.microsoft.com/en-gb/library/bb496964.aspx
gb/library/bb496964.aspx
10
Services for NetWare 5.03 White Paper {R10}:
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx
http://www.microsoft.com/windowsserver
Page 6
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
healthcare organisation make decisions in order to plan a migration solution that meets their
requirements.
The referenced documentation is not expected to be a universal solution for all healthcare
organisations,, but rather a set of design choices and best practices that can be used to initiate the
local directory services migration solution, understand what decisions are available, why a decision
is made, and how to implement that decision.
This Active Directory guidance endeavours not to repeat content from public documentation, but to
provide a consolidated,
dated, organised and structured reference list to the documents listed in section
4.2.1.. It highlights recommendations when it is appropriate for a typical healthcare organisation to
deviate from the current default installation configurations of the tools available,
available when migrating to
Windows Server 2003 Active Directory.
Directory
Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains
deployed within each physical location of the organisation. Trust relationships are then created
between them, in order to share resources amongst the users.
Page 7
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Figure 3 could, for example, represent a centralised account domain where both user and
computer accounts reside,, with resource domains distributed throughout the remote
rem sites. In turn,
these
hese resource domains then trust the account domain with a one-way
one way trust; however,
however it is also
common to find that a two-way
way trust is used.
Whether there are only a few Windows NT 4.0 domains or over 100, 100 with a complicated
implementation
on of trust relationships between them, the migration of user and computer accounts
to an Active Directory environment is dealt with in a similar manner.
The migration from an existing ng Active Directory forest to a current best practice Active Directory
environment is included in this guidance.
guidance Migration information is provided from both a Windows
2000 Server domain or forest and a Windows Server 2003 domain or forest.. The purpose of
including
ncluding a migration of this type is for those healthcare organisations that have Active Directory
deployed, but did not follow current best practice guidance when designing the Active Directory
infrastructure.. This can typically result from the deployment of an application that had an Active
Directory requirement, and the project scope for the delivery of the application did not include a
detailed design for Active Directory.
Directory
A healthcare organisation can use the Active Directory Design Guide {R1} to aid in the production
of a new Active Directory design. They will then be able to use this migration guidance to migrate
the Active Directory objects
bjects from one or more Active Directory domains to the new Active Directory
domain.
Page 8
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
This guidance covers in detail the options available and the current best practice methods to
migrate from an NDS using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003 Active
Directory. While this guidance focuses
focus on these NetWare versions, it is still possible to use this
™
guidance if migrating from an implementation of a Novell eDirectory environment or a Novell
NetWare 3.x environment (that
that uses binderies to store user accounts and other resource
information).
Page 9
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5 PLAN
The Plan phase is where the bulk of the implementation planning is completed. During this phase,
phase
the areas for further analysis are identified and a design process commences.
Figure 6 acts as a high-level
level checklist, illustrating the sequence of events that the IT Manager and
IT Architect need to determine when planning for an Active Directoryory migration solution within a
healthcare organisation:
Page 10
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.1.1 New
ew Active Directory or In-Place
In (Upgrade)) Migration
The decision on whether a new Active Directory environment is created from a fresh installation
i or
an in-place migration should consider some basic advantages and disadvantages as detailed
below.
Important
The in-place
place migration approach is not available to healthcare organisations that are looking to migrate to
Active Directory from Novell NetWare;
NetWare therefore, they must use the new Active Directory method.
The creation of a new Active Directory installation provides a clean environment that is not
populated with users or computers that potentially no longer exist.. It also allows a clear distinction
between the old and new environments and allows the old environment
ronment to remain in place,
place which
can act as part of a rollback facility should issues occur during the migration.
A disadvantage of creating a new Active Directory installation is that all computers that are
members of the old environment need to have their
the computer accounts migrated through a manual
or automated/scripted process. The same process needs to take place for the user accounts that
need to be migrated. These disadvantages can be addressed using migration tools such as the
Active Directory Migration
tion Tool (ADMT) or the Microsoft Directory Synchronization Services
(MSDSS) utility.
It is important to also consider the hardware requirements for the in-place
in place migration approach. If a
healthcare organisation is assessing an in-place migration from a Windows NT 4.0 domain, the
server to be used should be both the Primary Domain Controller (PDC) and be capable of running
Windows Server 2003. If the server is not capable of running Windows Server 2003, a common
approach is to install Windows NT 4.0 as a Backupkup Domain Controller (BDC) on a new server that
does meet the hardware requirements of Windows Server 2003, and to promote this as the PDC. PDC
This server can then be upgraded to Windows Server 2003,
2003 retaining the user and computer
objects.
Caution
If a new server is to be purchased to install Windows NT 4.0 and subsequently upgraded
upgrade to Windows
Server 2003, ensure the hardware vendor provides Windows NT 4.0 drivers for the server because many
new servers fail to run the Windows NT 4.0 operating system properly, due to the lack of available drivers.
drivers
Recommendation
It is recommended that a new Active Directory installation is deployed to introduce a clean environment
that can be designed from the ground up. Use the Active Directory Design Guide {R1 R1} to aid in the
designing of the new Active Directory.
Page 11
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
In a phased migration, it is important to make both the old and new environments accessible,
accessible
whether through trusts or synchronisation. In a Windows-based
Windows based environment, this can occur
through the use of external trust relationships,
relationships whereas in a Novell environment,
environment this involves using
tools to synchronise directory information.
Infrastructure
Comment
Area
Network Diagram The current network should be documented in a diagram to show the location of servers, and the server type,
such as file server, Web server, database server,
server and so on. For each server, the server operating system’s
version,, patch revision, and the transport protocols that are in use should also be documented.
documented
Printers Ensure all printers currently used within the environment can continue to be used once migrated. Especially
in NetWare environments,
environments where a printer currently uses the Internetwork Packet Exchange (IPX)
( protocol,
ensure it can use TCP/IP. If not, the printer may need replacing.
Network stored All information stored on the network servers needs to be identified, whether it is user data or application
information data. The
he location of the data,
data who is responsible for it,, which users have access to it and the security
requirements for data storage must also be noted.
Server operating Ensure that if any software installed on a server to be decommissioned is still required,
required it is catered for in the
systems dependent migration process. This involves documenting the version installed, any configuration and whether or not the
software software can run on Windows Server 2003. If not, the software may need updating or replacing.
repla
Page 12
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Infrastructure
Comment
Area
Local Area Networks Along with the network diagram detailing the servers, it is also important to create a diagram that includes the
(LAN)/Wide Area network links in place and the available bandwidth. This is a prerequisite for an Active Directory design.
Networks (WAN) links
User environment This includes the identification of login scripts, system or group policies in place, and home folder locations.
properties
Health of current This primarily refers to the synchronisation between servers but also to the server operating system. For NT4
domain or NDS domains or Active Directory, ensure replication is occurring properly between domain controllers and the
event viewer does not contain any unexpected errors. For Novell servers,
servers, use tools such as DSTRACE and
DSREPAIR to verify synchronisation.
Systems to be migrated Determine which servers are to be migrated or decommissioned. As part of this, understand which users,
groups, computers, files, and databases will be affected.
Table 2: Evaluating the Existing Environment
Page 13
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.3.1 Users
Different types of user accounts have different requirements and
and access needs. Typically, a user
account can be placed into one of three categories:
categories
IT administrator
Service account
Standard user
Migrating
igrating to a new Active Directory environment provides an ideal opportunity to ensure that
appropriate administrative accounts
counts are created. These administrative accounts are those that are
used by members of the IT department or that are delegated certain permissions. These are not
the day-to-day accounts for users, but rather the accounts
account that should be used to run administrative
adminis
tasks.
Recommendations
Administrators, or those users being delegated administrative rights for certain job role functions, should
not have administrative permissions granted to their normal day-to-day day accounts. Instead, a separate
account should be created with the appropriate rights and permissions. The user should then use the ‘Run
as’ feature to carry out this portion of their responsibilities. For more information on the current best
11
practice method of using Run as, see the Windows Server 2003 Product Help Web page Using Run as .
The migration of user accounts should be carried out using the following order:
1. Administrative accounts
2. Service accounts
3. User accounts
If migrating from an NDS environment, a user is uniquely identified through the distinguished name,
and not the common name (CN).(CN) For example, when creating a user in NDS, a common name
could be specified as Anna, whereas the NDS distinguished name could be Anna Bedecs. If
another user existed in a different NDS organisational unit with
with the common name of Anna, but with
an NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user
account names must be unique across the whole domain, not just the OU, as is the case in NDS.
Note
The specific user account names that need to be unique in Active Directory are:
Distinguished Name (DN)
Relative Distinguished Name
SamAccountName
If both users were to be migrated, the first user migrated would have the logon name Anna, but the
second user would have the logon name Anna0. The Active Directory Design Guide {R1} provides
information on naming conventions,
conventions including users with the same name.
Recommendation
If users exist with the same name, it is recommended that a healthcare organisation change the logon
names of the users within n NDS, to make them unique, prior to the migration.
The same process should be applied to users with the same name that currently exist in different
Windows NT or Active Directory domains that are being restructured into a single Active Directory domain.
11
Using Run as {R11}:
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab 7bfd130c21c01033.mspx?mfr=true
Page 14
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.3.2 Groups
Groups are a common object found in all current server operating systems and must be catered for
in the migration.
If migrating from NDS using MSDSS,
MSDSS any NDS organization or NDS OU that will be part of the
migration will have a domain local security group created in Active Directory. These domain local
security groups will then be mapped to the corresponding NDS organisation
organi ation or NDS OU.
In a Windows NT 4.0 environment, a local group is converted to a domain local security group and
a global group converts to a global security group.
group. If migrating groups, and user membership of
their groups is still required, Security Identification (SID) history must also be migrated. SID history
migration is completed using ADMT v3, which can automatically configure the the old and new
domains as part of the installation and initial usage process.
Caution
A global group migration process can consume large amounts of network resources,
resources as well as local
resources on the domain controller in the target domain. Therefore, a global
global group migration should be
completed outside of normal or peak working periods.
5.3.3 Computers
As with users, computers can also be placed into their different categories such as:
Servers
Desktops
Portable computers
Each computer type will need different considerations
siderations when being migrated to the new
environment. These computer types are discussed in more detail below.
5.3.3.1 Servers
Servers require particular focus and the amount of effort required to migrate them is highly
dependent upon the current role they play within the existing infrastructure.
For example, a server running Windows Server 2003 configured as a member server,
server and
operating as an intranet Web site for users, could be migrated without many configuration changes.
However, a Novell NetWare server authenticating
aut users and running an unsupported application
could require a lot more planning to migrate and potentially to decommission.
Recommendation
Replacing existing directory-enabled
enabled services or applications with new Active Directory-enabled
Directory software
is a task that should be performed independently of the migration of NetWare users, groups, distribution
lists, organisational units, organisations, and files.
Page 15
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.3.3.2 Desktops
Desktops are commonly seen as one of the easiest objects to migrate.
migrate However,
owever, there are areas
that need careful consideration and can sometimes be overlooked.
For example, in an environment where a computer currently runs a small application that requires
®
the Microsoft Windows 98 operating system to operate, if secure communication is required
requi
between the server and client computer, the computer will require the Active Directory Client
Extension (DSClient) to be installed. This is also the case for Windows NT 4.0 client computers.
These computers will therefore require a resource to manually install the software required,
required which
takes additional time and planning.
Recommendation
®
It is highly recommended that if a healthcare organisation has computers with the Microsoft Windows 95 ,
®
Windows 98 or Microsoft Windows NT Workstation 4.0 operating systems installed,
installed which will become
part of the new Active Directory environment, the DSClient is installed for more secure communication
between the server and client computer (through the use of the NTLMv2 level of LAN Manager
Authentication).
In a NetWare
are environment, a computer would typically have the Novell Client32 or Novell Client for
Windows software installed. As part of the migration,
migration the Client32 software would need to be
removed and the computer would then use the Windows client for user authentication to the new
environment. This Client32 software can either be removed manually or via a script that is run
through a login script or batch
atch command file.
As part of a migration from a Microsoft or Novell environment, unless an in-place
place migration is taking
place, all desktops will need to be configured with new domain membership to become part of the
new environment.
Important
One of the most
ost common failures during a migration of computer accounts is due to the desktop computer
being switched off and, as such,
such it cannot be migrated. It is important for a communication to be sent out
to all computer users informing them that computers must be be left on for the duration of the migration.
Page 16
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.3.4 Printers
Printers are an important resource to users and access to them must be maintained at all stages of
the migration.
Important
If all printers used in a Novell environment are required to be migrated to the new environment, ensure
e
that the printers can be printed to using TCP/IP and not just IPX.
5.3.5 Data
In Novell environments, the File Migration Utility (FMU),
(FMU) which is part of SfN, can be used.
used When
using MSDSS, it is possible to complete a migration that includes
includes an option for a file migration. This
option creates a migration log that the FMU can use to maintain users’
users access rights to their data.
In Microsoft environments, use a backup and restore method to migrate the data and use a tool
such as Robocopy to ensure that any files updated by users during the backup and restore process
are kept up to date. Shared folders cannot be migrated, so a tool such as the Windows
Wi Server
2003 Resource Kit tool (Permcopy.exe
Permcopy.exe) can be used to copy the permissions from a source
sour share
path to a target share path.
12
Print Migrator Tool 3.1 {R12}:
http://download.microsoft.com/download/4/5/2/452d431e-5a5c-43bd-b398-6fc27208e001/printmig.exe
http://download.microsoft.com/download/4/5/2/452d431e 6fc27208e001/printmig.exe
13
Microsoft Print Migrator 3.1 {R13}: http://download.microsoft.com/download/2/e/5/2e57d536-2bb5
http://download.microsoft.com/download/2/e/5/2e57d536 2bb5-40f1-b52d-
a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc
14
Client Service for NetWare {R14}:
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-503439f6d1271033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b 503439f6d1271033.mspx?mfr=true
Page 17
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
The tools available to use as part of the migration depend upon the platform from which objects are
migrated. The freely-available
available tools provided
provi by Microsoft enable a healthcare organisation to
migrate to Active Directory in a much faster and more efficient manner than using manual
migration.
Page 18
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
ADMT can also be used to restructure domains if migrating from an existing Active ctive Directory
infrastructure.. Two types of restructuring exist for Active Directory domains: interforest and
intraforest.
An interforest restructure,, as shown in Figure 7, involves migrating objects between Active
Directory forests; typically faced in a merger between organisations, such as two healthcare
organisationss amalgamating and combining the IT infrastructure to reduce administrative
complexity and overhead:
15
Active Directory Migration Tool v3.0 {R15}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b aff85ad3d212&DisplayLang=en
Page 19
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
An intraforest restructure involves migrating objects between multiple domains within the same
Active Directory forest as shown in Figure 8:
A major difference that can influence the decision between these types of restructuring should be
fully understood:
Objects during an intraforest restructure are migrated and no longer exist in the old
environment.
Objects in an interforest restructure are cloned, and therefore the original objects remain in
place. In this case, a healthcare organisation would have the immediate benefit of having
an environment that could be rolled back to, should an issue occur.
Recommendation
A healthcare organisation migrating from a current Active Directory infrastructure should
shoul use the
interforest restructure migration method to ensure that the new environment contains only the required
objects and has been designed according to the guidelines set out within the Active Directory Design
Guide {R1}. This provides the additional benefit of keeping the old environment intact should a rollback be
required.
Only consider an intraforest restructure if the current Active Directory is in a healthy state with a well
managed collection of objects that are known to be up to date,
date and the design of the Active Directory
follows the Active Directory Design Guide {R1} recommendations and/or is well documented.
Page 20
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
®
For a healthcare organisation that does not have in-house
house expertise in Microsoft Visual Basic Scripting
Edition (VBScript),, it is recommended that the command line method is used, combined with an option file
and an include file.. This provides the easiest method to test a migration; it aids in documenting the objects
being migrated, and in running the final migration.
®
By default, ADMT uses the Microsoft SQL Server 2000 Desktop Engine (WMSDE) as its data
store. It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard,
Standard SQL Server
®
2000 SP4 Enterprise Edition, or Microsoft SQL Server 2005.
Recommendation
It is recommended that healthcare organisations use the default WMSDE database store,
store as installed and
configured during the installation of ADMT.
5.5.1.3 Third-Party
Party Tools
Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or
Active Directory, for large complex environments, some limitations of ADMT could require a
healthcare organisation to provide
provide extra resource in planning, developing and migrating between
environments.
Other migration tools are available for purchase from other companies, for example, Quest
®
Software has a Domain Migration Wizard product focusing on migrations from Windows NT, and
the Migration Manager for Active Directory product, for migrations and domain restructuring from
Active Directory.
These tools can provide enhanced benefits such as:
Complete rollback capabilities
Directory synchronisation
Post-migration clean-up
up of resources
Detailed statistics of the migration
16
Windows 2000 High Encryption Pack (128-bit)
(128 {R16}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3-
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0
9DCAB4DA1C63&displaylang=en
17
Internet Explorer High Encryption Pack 4.0 {R17}: http://go.microsoft.com/fwlink/?LinkId=76038
Page 21
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
For more details on the tools available from Quest Software, visit the Migration Tools for Active
18
Directory Web page .
Note
The information provided here on Quest Software tools is neither a recommendation nor an endorsement
for its use within a healthcare organisation.
organisation If a healthcare organisation wishes to consider these tools for
their Active Directory migration project, careful assessment, planning and testing of the migration must still
take place.
File and Print Services for NetWare (FPNW) is a tool that can make a Windows Server 2003 server
appear to be a NetWare 3.x server to client machines. FPNW is available to download from the
19
same Web page as SfN .
18
Migration Tools for Active Directory {R18}: http://www.quest.com/active-directory/migration.aspx
directory/migration.aspx
19
Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d 82a6a3af4be8&DisplayLang=en
20
Novell Downloads {R20}: http://download.novell.com/index.jsp
Page 22
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Reverse synchronisation A reverse synchronisation is the process of synchronising data from Novell to Active Directory.
This type of synchronisation is less efficient than a forward synchronisation as MSDSS
compares all objects in NDS against those existing in Active Directory. IfI any objects have been
changed or new ones created, they are synchronised in their entirety. Due to the way a reverse
synchronisation takes place, an increase in network traffic could be expected. Reducing the
frequency of synchronisation could help reduce
reduce the network utilisation, but can have an adverse
effect on the data held within Active Directory and potentially cause Active Directory to become
out of date.
Scheduled synchronisation A scheduled synchronisation ensures that changes are replicated from one directory service to
the other. By default, a forward synchronisation is carried out every 15 minutes, 24 hours a day.
A reverse synchronisation is carried out every hour from 00:00 (midnight)
midnight) to 06:00,
06:00 due to the
increased network traffic caused by this type of synchronisation. If two-way
two synchronisation is in
use, a different schedule can be configured for each direction.
Password synchronisation A password synchronisation process can only take place if the passwords are changed from
Active Directory. A password synchronisation
sy occurs when an initial reverse synchronisation
takes place, a user account is created in NDS as part of a two-way
two way synchronisation, or a
password is changed in Active Directory.
It is not possible to synchronise passwords from a Novell directory
directory service to Active Directory. A
password scheme is used if either an initial reverse synchronisation is completed or new users
are created in NDS. A password scheme is then used to determine what the password will be
for the first logon. The user is then prompted to change it once successfully logged on.
Table 3: MSDSS Synchronisation Types
Recommendation
It is recommended that a healthcare organisation uses an initial reverse synchronisation, followed by one-
one
way forward synchronisations configured with a default schedule. Once the initial synchronisation has
occurred, objects should be managed through Active Directory and any changes,
changes including passwords,
passwords
willll be synchronised to NDS.
Page 23
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require
extending. The Active Directory schema extensions enable the following features:
features
Migration
One-way
way synchronisation
Two-way synchronisation
isation
The NDS directory schema extensions are only required for a two-way
way synchronisation.
Note
As the recommendation is to use a one-way
one way synchronisation, it is possible to carry out the migration
without the need to extend the NDS directory schema.
MSDSS S provides the ability to migrate passwords from Active Directory to NDS, Bindery or
eDirectory; however, it is not possible to migrate passwords from a Novell environment to Active
Directory.
For this reason, when synchronising users during an initial reverse synchronisation, a password
scheme is used to specify what the password should be for new users in Active Directory. Four
possible options are available,, as detailed in Table 4:
Set passwords to the user name When this option is selected, users are created with a password that matches their user name.
When logging on for the first time, the user will have to change this password.
Set passwords to random values When this option is selected, users are created with a password that is set to a random value,
eight characters in length. When logging on for the first time, the user will have to change this
password.
This option is the most secure password scheme available. The random values are written to a
text file that members of the Administrators group on the domain controller can access.
Set all passwords to the following When this option is selected, users are created with a password that is specified within the fields
available in the Password Synchronisation Options
Options dialog box. When logging on for the first time,
the user will have to change this password.
Table 4: MSDSS Password Schemes
Page 24
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
It is recommended that a healthcare organisation uses the option of setting passwords to random values
value
because all other options would enable any user to logon using any other user’s migrated account and
gain access to data and other resources to which they normally would not have access.
A communication should be created for all users, informing them of the time they will be migrated to the
new environment and any changes to the logon process,
process as well as any new location for storing their data,
and so on.. This communication can also be used to relay what the user’s
user s new password will be. For
example, creating a mail-merge
merge document while using
using the password file as a data source, allows
communications to be created directly,
directly focusing on the individual user.
Using FMU, it is possible to view migration maps to see which objects from NDS are being mapped
to the corresponding objects in Active Directory. The following maps are available to view:
NDS organisational units and organisations to Active Directory group
NDS group to Active Directory
Direc group
NDS user to Active Directory user
Using these migration maps allows an IT administrator to confirm the translation of objects from
NDS to the corresponding objects in Active Directory.
When using the FMU, the source must always be a volume or directory
directory on an NDS server and the
target must be a shared folder on a Windows Server 2003 or Windows 2000 Server.Server The FMU
allows for a single source to
o be mapped to multiple targets or multiple targets mapped to a single
source.
Page 25
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.5.2.4 Third-Party
Party Tools
SfN provides
es a set of freely available tools and utilities when migrating from Novell NetWare.
However for larger, more complex environments, some limitations of SfN could require a healthcare
organisation to provide extra resource in planning, developing and migrating
migrating between
environments.
Other migration tools are available for purchase from other companies, for example, Quest
Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or
Bindery services to Active Directory.
NDS Migrator can provide enhanced benefits such as:
A single tool for migration of both objects and data
Does not require additional software installed on a domain controller
Simple exclusion of unused, disabled or locked-out
locked accounts
Supports a rollback facility
facil of specific migrated objects
For more details on the NDS Migrator tool available from Quest Software, visit the Migrate Novell
21
Directory Services to Active Directory Web page .
Note
The information provided here on Quest Software tools is neither a recommendation nor an endorsement
for its use within a healthcare organisation.
organisation If a healthcare organisation wishes to consider these tools for
their Active Directory migration project, careful
careful assessment, planning and testing of the migration must still
take place.
21
Migrate Novell Directory Services to Active Directory {R21}: http://www.quest.com/nds-migrator
Page 26
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
6 DEVELOP
During the Develop phase, the solution components are built based on the planning and designs
completed during the earlier phases. Further refinement of these components will continue into the
stabilisation phase.
Figure 9 acts as a high-level
level checklist, illustrating the sequence of events that the IT Manager and
IT Architect need to determine when planning for an Active Directory migration within a healthcare
organisation.
This section is splitt into two distinct areas, each focusing on the server operating systems in use in
the old environment.
If migrating from a Windows NT Server 4.0 or Active Directory domain, see section 6.1. If migrating
from a NetWare environment, see section 6.2.
Recommendation
The steps, scripts and processes provided in this section should be thoroughly tested before any
large-scale
scale live migrations are performed,
performed to ensure they work as expected.
Page 27
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 28
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 29
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 30
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 31
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 32
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 33
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 34
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
22
Group Policy for Healthcare Desktop Management {R22}:
http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx
Page 35
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 36
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 37
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Where:
<DomainName> is the name of the source domain
<KeyFilePath> is the full path including file name of the encryption key to be created
This encryption key file needs to then be made available, either on a removable disk or network
share, to the domain controller in the source domain where the PES service will be installed.
Page 38
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 39
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 40
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 41
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 42
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 43
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 44
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 45
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Once the steps above have been completed, the configuration of ADMT can be verified by
checking that:
A local group has been created in the source domain named <DomainName
DomainName>$$$, where
<DomainName> is the name of the source domain.
The TcpipClientSupport registry DWORD entry has been created on the source domain
PDC in the HKEY_LOCAL_MACHINE
KEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Control\LSA subkey, and
the value is set to 1.
Auditing has been enabled for account management in both the source and target domains.
Information
Auditing can be verified on a Windows NT Server 4.0 computer through User Manager for Domains.
In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed
through Active Directory Users and Computers or the Group Policy Management Console.
Page 46
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
[User]
DisableOption=EnableTarget
SourceExpiration=None
MigrateSIDs=Yes
TranslateRoamingProfile=No
UpdateUserRights=No
MigrateGroups=No
UpdatePreviouslyMigratedObjects=No
FixGroupMembership=Yes
MigrateServiceAccounts=No
UpdateGroupRights=No
The example option file above has a Migration section
section and a User section. Other sections such as
Group, Computer and Security can all be specified within the same option file. When run,
depending upon the command given, ADMT will determine which options are relevant for the
migration it is running. For example,
xample, if running a user migration, the TranslateRegistry option for a
computer will be ignored. For a full list of available options in an example option file, see
APPENDIX B.
Note
The TargetOU line is wrapped onto the following line in this document but must not be when creating the
text file for use during the migration.
If a line begins with a semi-colon
colon (;), orr an option has not been specified within the option file, ADMT
ignores it and uses the default value for that option.
For details of the options available for use with ADMT, type the following at the command prompt:
C:>admt /?
Further help can be displayed d on the options for objects that can be migrated. For example, for a
user, type the following at the command prompt:
prompt
C:>admt user /?
The ‘user’ parameter can be substituted with ‘group’, ‘computer’, ‘security’, ‘service
service’ or ‘password’
to obtain specific help on the options for each of these objects.
Recommendation
The service, computer and security objects of an ADMT migration can all use the PreCheckOnly option
within the option file. Healthcare
ealthcare organisations should use this to gather information about whether
wh the
migration will be successful or not before the actual migration takes place.
Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in
troubleshooting, if issues occur.
Page 47
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Important
The TargetName option in the include file cannot be used with the TargetUPN, TargetSAM or TargetRDN.
The TargetUPN option can only be used with user accounts.
The TargetRDN option can contain commas, but each comma must be preceded by a back slash (\).
( For
example, ‘CN=surname\,, firstname’.
firstname The TargetRDN option must include the text ‘CN=
CN=’.
Page 48
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
If the location of the option
on file or include file is not in the current working directory, the full path should be
specified. If the path name contains spaces, enclose the full path and file name in double quotation marks
(“).
6.2.1.1 Creating
reating a Migration Account
When running the migration, a migration account should be created and used, rather than an IT
administrator’s individual account.
account. This ensures that an IT administrator tasked with a portion of the
migration is not granted permissions
permis that would not normally be provided outside of the migration. It
also ensures that if the account is used in a script, an individual’s account credentials are not
shared.
The installation of SfN will attempt to extend the Active Directory schema and,
and as such,
such appropriate
credentials are required.
Recommendation
A healthcare organisation should create a single account in the target domain for the installation of SfN
and the migration of all objects. This account should then be made a member of the following
foll security
groups:
Domain Admins
Enterprise Admins
Schema Admins
Important
Due to the permissions gained through these security groups, of which the migration account will be made
a member, it is important to ensure that auditing is carried out on this account. Also, once the migration is
complete, the migration account must be removed from these security groups.
Page 49
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
23
Novell Downloads {R20}: http://download.novell.com/index.jsp
Page 50
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 51
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 52
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
24 Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en
82a6a3af4be8&DisplayLang=en
Page 53
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 54
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 55
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 56
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 57
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 58
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 59
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Once the synchronisation session has been created, it is displayed in the MSDSS window. The
session can then be managed.
managed Right-click the session name to select a number of tasks such as:
as
View Logs – Opens
pens the MSDSS Event viewer
Clone Session – Runsuns the New Session Wizard and pre-populates
pre populates the field values with
those used in the selected session
Synchronize Changes - Forward – Forces a forward synchronisation
Update Status – Refreshes
efreshes the status shown in the MSDSS window
Disable Session – Pauses
auses the synchronisation of objects within the selected session
Properties – Displays the session properties, such as synchronisation schedule, Novell
credentials used, level of detail logged, and password options
Once the initial reverse synchronisation has completed, all users logging onto
onto the Active Directory
domain for the first time must change their passwords. When a password change occurs in Active
Directory, MSDSS initiates a forward synchronisation.
Any password changes made within Active Directory overwrite the existing NDS passwords.
passwor If a
password is changed in NDS, it is not synchronised to Active Directory and will therefore cause the
user to have to enter two different passwords when trying to access resources on the different
environments.. If this occurs, the user can initiate a password change within Active Directory to
rectify the situation.
Page 60
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
7 STABILISE
The Stabilise phase involves testing the solution components whose features are complete, and
resolving and prioritising any issues that are found. Testing during this phase emphasises usage
and operation of the solution components under realistic environmental conditions.
This involves testing and acceptance of the Active Directory migration solution.
Figure 11 acts as a high-level
level checklist,
check illustrating the critical components that an IT professional
responsible for stabilising the Active Directory migration needs to determine.
7.1.1 Pilot
As part of the pilot, all aspects of the migration solution will be carried out on a selected number of
users.. These users will be expected to carry out their day-to-day
day day activities as normal,
normal but with the
additional responsibility of feeding back any issues regarding access to resources that were
available prior to the migration.
The typical basic steps involved in a pilot include:
Identifying the pilot users, their computers and the data to which they require continued
access
Migrating or synchronising
synchronis these user accounts, including group membership and login
scripts
Migrating computer accounts to Active Directory, including the removal of any Novell Client
for Windows in a NetWare environment
Migrating data and other resources that are part of the migration but that do not interfere
with other production environment users. This includes maintaining access to shared data
and server-based
based applications for the pilot users
During the pilot, focus on the following areas:
Check that all the users and their permissions to files and folders were migrated as
expected
Page 61
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note the time taken to perform migration for the number of users taking part in the pilot
Note the network bandwidth used during migration and ensure that other live users are not
affected
Once the pilot has been completed,
completed document the findings and rework the migration processes as
necessary.
The log files can be viewed from within the ADMT console, or by running ADMT at the command
prompt using the task parameter.
Page 62
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 63
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
[User]
DisableOption=EnableTarget
SourceExpiration=None
MigrateSIDs=Yes
TranslateRoamingProfile=No
UpdateUserRights=No
MigrateGroups=No
UpdatePreviouslyMigratedObjects=No
FixGroupMembership=Yes
MigrateServiceAccounts=No
UpdateGroupRights=No
[Group]
UpdateGroupRights=No
FixGroupMembership=Yes
MigrateSIDs=Yes
MigrateMembers=No
UpdatePreviouslyMigratedObjects=No
DisableOption=EnableTarget
SourceExpiration=None
Page 64
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
[Computer]
PreCheckOnly=No
TranslationOption=Replace
TranslateFilesAndFolders=No
TranslateLocalGroups=No
TranslatePrinters=No
TranslateRegistry=No
TranslateShares=No
TranslateUserProfiles=No
TranslateUserRights=No
RestartDelay=5
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
AutoPostCheckRetry=No
AutoPostCheckRetryInterval=5
heckRetryInterval=5
AutoPostCheckRetryNumber=2
[Security]
PreCheckOnly=No
TranslationOption=Replace
TranslateFilesAndFolders=No
TranslateLocalGroups=No
TranslatePrinters=No
TranslateRegistry=No
TranslateShares=No
TranslateUserProfiles=No
TranslateUserRights=No
SIDMappingFile=”SID Mapping File Path”
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
[Service]
PreCheckOnly=No
AutoPreCheckRetry=No
AutoPreCheckRetryInterval=30
AutoPreCheckRetryNumber=48
Page 65
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
CN Common Name
IP Internet Protocol
IT Information Technology
OU Organisational Unit
SP Service Pack
Page 66
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
PART II References
Reference Document Version
R1. Active Directory Design Guide:
Guide 1.0.0.0
http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx
R4. Microsoft Download Center: Migrating Windows NT Server 4.0 Domains to Windows Server 2003:
2003
http://www.microsoft.com/downloads/details
http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-
19544062A6E6&displaylang=en
R5. Microsoft TechNet: Windows Server TechCenter: Designing and Deploying Directory and Security
Services:
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315
http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-
8cae1b593eb11033.mspx
R7. Microsoft
rosoft Windows Server 2003 R2: NetWare to Windows Server 2003 Migration Planning Guide:
Guide
Migrating Novell NetWare to Windows Server 2003 Microsoft Word document (SFNmig.doc):
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx
R8. Microsoft Download Center: Solution for Migrating File, Print, and Directory Services from Novell
NetWare to Windows Server 2003:
2003 Microsoft Word document:
http://go.microsoft.com/fwlink/?LinkID=46606
R9. Microsoft TechNet: Solution for Migrating File, Print, and Directory Services from Novell NetWare to
Windows Server 2003:
http://technet.microsoft.com/en
http://technet.microsoft.com/en-gb/library/bb496964.aspx
R10. Microsoft Windows Server 2003 R2: Services for NetWare 5.03 White Paper:
http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx
R11. Microsoft TechNet: Microsoft Windows Server TechCenter: Using Run as:
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab
http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-
7bfd130c21c01033.mspx?mfr=true
R14. Microsoft TechNet: Microsoft Windows Server TechCenter: Client Service for NetWare:
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b
http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-
503439f6d1271033.mspx?mfr=true
R16. Microsoft Download Center: Windows 2000 High Encryption Pack (128-bit):
(128
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0
http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3
B5C3-
9DCAB4DA1C63&displaylang=en
Page 67
Active Directory Migration Guide
Version 1.0.0.0 Baseline
Prepared by Microsoft
R19. Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d
http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-
82a6a3af4be8&DisplayLang=en
Page 68
Active Directory Migration Guide
Version 1.0.0.0 Baseline