1 / 18

Resource Kit Tools for Migrating Domains

Resource Kit Tools for Migrating Domains. Jack Schmidt HEPNT/HEPIX Fall 1999. Guidelines. If you have a large number of domains, merge at least some before W2000 Upgrade Define when you will have the most resources Before Considerations

aquarius
Télécharger la présentation

Resource Kit Tools for Migrating Domains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Resource Kit Tools for Migrating Domains Jack Schmidt HEPNT/HEPIX Fall 1999

  2. Guidelines • If you have a large number of domains, merge at least some before W2000 Upgrade • Define when you will have the most resources • Before Considerations • SAM - don’t exceed 40MB and plan on increased SAM replication traffic • Political Issues • If you have a multipurpose PDC consider merging before W2000 Upgrade • After Considerations • Consider moving applications and services from domain controllers to member servers • If you have single purpose DC’s with apps and file services on member servers then consider waiting

  3. `Before’ Suggestions Target A Source B Source C A trusts B, B trusts C, A does not trust C Directory plan calls for B and C to be part of A. Collapse C into B, then B in to A

  4. ‘Before’ Suggestions Target Source PDC PDC IIS FILES • Combine IIS Servers • Combine File Sharing • Shutdown PDC IIS FILES

  5. ‘After’ Suggestions W2000 Domain NT4 Domain DC PDC FILES IIS IIS • IIS Server simply joins W2000 Domain • Shutdown NT4 PDC

  6. ‘Before’ Suggested Steps • Migrate user accounts • Migrate global groups • Update local group memberships • Update permissions • Update user rights • Migrate computer accounts • Move domain controllers • Move member servers • Move workstations

  7. Useful NT4 Resource Kit Tools • ADDUSERS.EXE - command line tool to create, delete, and modify users, global groups and local groups. • NTRIGHTS.EXE – command line tool to modify user rights. • NETDOM.EXE – command line tool to manage NT domains. • SHUTDOWN.EXE – command line tool to remotely shutdown or reboot an NT computer.

  8. Useful W2000 Resource Kit Tools SIDWalker Tools found on the W2000 Resource kit (Technet CD NT4 Resource Kit Utilities). Can be run on W2000 or NT4! Consists of: • SHOWACCS.EXE – command line tool to create two files: • access-profile file which lists all permissions for a computer’s files, shares, printers, local groups and registry. • Mappings file which lists users and groups which appear in the computer’s ACL’s • Security Migration Editor- MMC snap-in that maps old users and groups from a mappings file to new users and groups. Ability to save changes to mappings file • SIDWALK.EXE – uses updated mappings file to delete or replace SIDs on a computer.

  9. User Accounts Goal- Create users in target domain for each account in source domain. • Use ADDUSERS.EXE to dump users and groups to a file: Addusers.exe \\ sourcedc /d filename • Remove Local and Global sections from file. • Compare accounts in file to accounts in target domain- resolve identical accounts by changing username in source domain • Use ADDUSERS.EXE to create accounts in target domain: Addusers.exe \\ targetdc /c filename Note: password properties are left blank! Most other properties will transfer from source domain

  10. Global Groups Goal- Create global groups in target domain for each global group in source domain. • Use ADDUSERS.EXE to dump users and groups to a file: Addusers.exe \\sourcedc /d filename • Remove Local and Users sections from file. • Edit file and change source domain name with target domain name • Compare global groups in file to global groups in target domain- resolve identical groups by changing group in source domain • Use ADDUSERS.EXE to create global groups in target domain: Addusers.exe \\targetdc /c filename

  11. Local Groups Goal- Add users and global groups from target domain to source domain. Must update local groups to preserve access on any computer ((DC, member server, workstations) that will move to the target domain • Use ADDUSERS.EXE to dump users and groups to a file on each machine that will move: Addusers.exe \\sourcedc /d filename (if you have 20 systems then you should have 20 files) • Remove Users and Global sections from each file. • Replace every reference to the source domain with target domain • Use ADDUSERS.EXE to create local groups on each system in your source domain: Addusers.exe \\targetdc /c filename

  12. Update Permissions Goal- update permissions for files, shares and directories in source domain to reflect accounts in the target domain • Use SHOWACCS.EXE on every computer in the source domain to create access-profiles and account mapping files: Showaccs.exe accessprofilefile /f /r /s /p /g /m accountmappingfile Each account with permissions to resources on local computer is written to mappings file • Load accountmappingfile into the Security Migration Editor MMC snap-in. Select users and groups from your target domain that matches users and groups in your source domain. Update ACL information and save mappings file. • Use the new accountmappingfile with SIDWALK.EXE to write mapping file changes to the local computer. Sidwalk.exe accountmappingfile /f /s /l Note: Sidwalk.exe accountmappingfile /t /f /s /l will perform a test run.

  13. Update User Rights Goal- update user rights on source domain machines to reflect accounts in target domain • Use NTRIGHTS.EXE to modify rights on source domain machines for accounts in the target domain by creating a script file of rights, machine names and accounts: NTRIGHTS –U TARGETDOM\USER –M \\MACHINENAME +R seAuditPrivilege Note: You can have one central file that changes rights across the source domain

  14. Migrate Computer Accounts Goal – create accounts in the target domain for all systems in the source domain Use NETDOM.EXE to migrate create the accounts: • Pipe the output from NETDOM to a text file: netdom /domain:domainname member > filename.txt • Edit the text file and replace the text and = preceding the computer name with “net computer”, then append /add to the end of each line Member 1 = \\kingkong => net computer \\kingkong /add • Save file as .bat or .cmd and run in your target domain

  15. Move Domain Controllers Note- Leave PDC up in source domain until all other computers are moved! To move domain controllers: • Make sure you have a good backup and record permissions on system in case you need to back out. • Create domain local groups in target domain that match local groups in source domain • Re-install NT. Make sure to replace OS and not do an Update. • Boot and examine permissions and user rights. Should be that of the target domain. • Don’t forget to re-install sp’s and hotfixes!

  16. Moving Member Servers To move member servers: • Make sure you have a good backup and record permissions on system in case you need to back out. • Join domain: Netdom.exe /domain:targetdomain member %computername% /joindomain • Verify applications and services are still working.

  17. Move Workstations To Move workstations: • Make sure you’ve followed steps for accounts, local and global groups,permissions and rights. • Join the domain: • If you have a few workstations then follow step 2 above • If you have a large number of workstations: • Copy NETDOM.EXE and SHUTDOWN.EXE to the NETLOGON share on source domain PDC • Edit domain login script with: .\netdom /domain:targetdomain member %computername% / joindomain .\shutdown /l /r /t:30 “You have joined the targetdomain domain.” /y /c The next logon that runs this script will be to your target domain • Don’t forget about win95/98 systems!

  18. Wrap up • Test all commands before rolling out • Time consuming job either way.. • Simplify –less domains easier to upgrade. • Break apart multi-purpose PDC’s • Questions?

More Related