In-Depth
Server Migration: Moving from Here to There
Migrating servers, users and resources from Windows NT to Windows Server 2003 was a big challenge for our fictional hero. We review a number of third-party tools to help ease his pain.
Editor’s note: Names and places are the product of the authors’ imagination, and any resemblance to actual persons is purely coincidental.
Like many shop managers using Windows NT, Donald P. Apscot, MCSE and
IT manager for T&T Corp., hasn’t moved off the platform yet. But NT is
on its way out. With a little over a year left for support, now’s the
time for T&T to move to Windows Server 2003.
With some 1,200 users and more than 1,000 PCs scattered across the country, the migration won’t be easy. The project is already underway, with a migration testing lab that duplicates most of the elements of the production environment. The migration will cover four major activities:
Security principal migration. Migrating users and computers from the NT
Security Accounts Manager (SAM) database to Active Directory.
Member server migrations. Migrating all services found on member servers
including file, print, management and other services. This includes special
products such as Exchange, Site Server, and other BackOffice services.
PC migrations. Migrating PCs from obsolete operating systems such as Windows
98 and NT to Windows XP. This will involve capturing and restoring user
data and preferences or profiles.
Application migrations. This involves conversions or redevelopment of
both rich client and Web-based in-house applications.
The migration will be eased with a parallel network. Users and data will
move from the old to the new network (see Figure 1), and all server and
workstation installations will be clean. This way, T&T can take full and
immediate advantage of all of XP/Windows 2003’s native features. And users
in either network can share applications and services during the project.
T&T will start with the security principal migration. If this environment is set up the right way, Don can migrate user and computer accounts, as well as groups, at his own pace.
 |
| Figure 1. To migrate users from the legacy network
to the parallel environment and to allow users in both networks to access
shared resources in either environment, Don needs to establish a two-way
trust between the master domain in NT and the production domain in the AD
forest. |
T&T narrowed the field of migration tools to four choices: NetIQ Domain Migration Administrator (DMA), BindView bv-Admin for Windows Migration, Aelita Domain Migration Wizard (DMW), and Quest Migrator. Several of the products actually come in suites, but for now, T&T is only interested in the domain migration aspects.
Tests will hone in on three areas:
The ability to generate reports about an existing environment before performing
a migration;
The ability to test out a migration before actually performing it; and,
The migration itself, to see if the products perform as advertised.
| The
T&T Testing Environment |
|
Source domains: TANDT, TANDT_RES
Target domain: Intranet.TandT.net
Source domain model: Single master domain,
plus resource domain
No. of user accounts: 1,255
No. of disabled user accounts: 97
User accounts with expiry
dates: 197
Valid user accounts: 961
User accounts with logon
restrictions: 151
No. of privileged accounts
in NT: 100
No. of privileged accounts in
target: 5
No. of global groups: 10
No. of local groups: 10
No. of computer accounts: 1,045
Security Principal Testing Prerequisites
The testing domains were created by restoring a backup from
one of the NT domain controllers of each domain within the
lab. Time was also taken to prepare the testing Active Directory
environment. Using AD best practices, T&T Corp. created an
empty forest root domain named TandT.net and created a single
global child domain for the production environment called
Intranet.TandT.net. IT also made the following preparations:
- The NT machines all include service pack 6a as well as
the Microsoft RPC patch (Microsoft Security Bulleting MS03-010).
- The Windows Server 2003 machines also include the Microsoft
RPC patch.
- The Windows Server 2003 forest includes two domains, the
forest root and the production child domain. Both domains
are set to Windows Server 2003 native modes, but the forest
is not yet converted.
- To make sure NT and AD will speak to each other, IT took
the time to cross over DNS addresses from one environment
to the other, creating a Windows Server 2003 entry in NT
and creating the NT entry in Windows Server 2003.
- A two-way trust was set between the TandT (NT) and the
Intranet.TandT.net (Windows Server) domains.
- Since the Windows NT System Key (Syskey.exe) has been
applied to all DCs in the single master domain, IT had to
add a new backup domain controller without the encryption
key in the lab to allow some of the tools to read NT passwords.
Since there is little load on this machine, an old PC was
powerful enough for this role.
- T&T wants to perform the migration from the target domain,
but to do so, IT needs local administrative rights on each
machine in the source domain. There are several ways to
do this—for example, IT could run a command on each machine
to add an administrative account from the target domain
to the local administrators group—but T&T wants to do it
with the least amount of effort. First, IT added the Domain
Admins group from Intranet.TandT.net to the Administrators
group in the TANDT domain and added the Domain Admins group
from TANDT to the Administrators domain local group in the
Intranet.TandT.net domain. This gives cross-over administrative
rights at the domain level. Next, IT uses a Run As command
in the target domain to execute the migration tools with
the Administrator credentials from the TANDT domain. This
automatically gives local administrative rights on each
machine in the source domains.
|
|
|
| Product
Information |
Aelita Domain Migration
Wizard
$12 per user
Aelita
www.aelita.com
BindView bv-Admin for
Windows Migration
$9.95 per user
BindView
www.bindview.com
NetIQ Domain Migration
Administrator
$3 per user, $6 per user for suite
NetIQ
www.netiq.com
Quest Fastlane Migrator 6.0
$10 per user
Quest Software
www.quest.com
|
|
|
NetIQ Domain Migration Administrator
First up is Domain Migration Administrator from NetIQ. NetIQ built Microsoft’s
Active Directory Migration Tool. DMA is similar to ADMT, but with more
bells and whistles.
The installation went smoothly; since it’s an MSI package, it will be
easy to uninstall to proceed with other tests. Once installed, DMA proved
quite easy to use. The migration interface clearly lists the steps to
perform, and their order (see Figure 2). Each migration can be performed
live or through the creation of a migration project. One advantage of
using a project instead of a direct migration is that projects support
single object undos or rollbacks. If a single user is migrated that shouldn’t
have been, you can simply roll back this user to the original domain.
DMA includes pre-migration tasks such as analyzing the source domain environment to discover just how many security principals are valid and how many are obsolete (some organizations simply disable accounts and never actually remove them from the SAM). These reports help determine if the SAM needs to be cleaned up as objects migrate from NT to AD. DMA also supports migration testing for each project, helping identify issues with the project before performing the actual migration.
 |
| Figure 2. NetIQ Domain Migration Administrator provides
a step-by-step approach to migrations, making it the simplest tool to use.
(Click image to view larger version.) |
DMA can migrate users individually or through groups. When you choose a Global
or Local group, DMA offers to include all the group’s users during the migration.
If your group strategy in NT is well designed, you can migrate users on a group-per-group
basis, and target the appropriate organizational unit (OU) in AD. DMA lets you
create or modify the OU structure as you prepare a migration project, so it
doesn’t have to be prepared beforehand. It’s a very good idea, though, to plan
and prepare the OU structure in advance; this isn’t something you want to do
on the fly. DMA also supports the migration of security identifier (SID) history,
a key element of any migration.
DMA migrates passwords from NT to AD with ease, though it doesn’t seem to verify password validity for the target domain. In a Windows 2003 domain, password complexity is enabled by default with a minimum password length of seven characters. However, DMA let Don migrate accounts with non-complex passwords that used fewer than seven characters. What’s worse, these users were able to log into the new intranet domain with their inadequate password without any errors.
DMA is a solid tool, but if T&T picks this product, Don will have to
rethink his password migration strategy.
BindView bv-Admin for Windows Migration
Bv-Admin for Windows Migration, BindView Corp.’s flagship migration product,
also installs as an MSI package. It proposes two products for Windows
migrations: The first migrates security principals, and the second migrates
Windows resources (files and folders, printers, profiles and more). Migration
projects can be charted through templates. And though several templates
are available for resource migrations, none are provided for security
principal migrations (see Figure 3). Bv-Admin also supports migrations
through the use of projects. Migrating groups will include the accounts
they contain, just as with NetIQ’s DMA.
 |
| Figure 3. BindView bv-Admin uses two major tools
to perform Windows migrations. The first migrates security principals.
This tool is supported by a series of utilities such as the Password
Copy utility. The second migrates Windows resources. (Click image
to view larger version.) |
Because its list of prerequisites is quite daunting (Service Pack 6a,
the Directory Services Client for NT, and much more), bv-Admin shouldn’t
be installed in the source domain if that domain is an NT environment.
It’s easier to install bv-Admin in the destination domain, since Windows
2003 already includes most prerequisites for the tool to function. Password
migrations are supported, but migrating passwords is a separate activity
and must be performed after migrating accounts. Bv-Admin is quite resource
intensive, one reason BindView recommends limiting migration projects
to no more than 2,000 users or 50 PCs at a time (migrating a single PC
took more than two hours). If the source domain is AD instead of NT, bv-Admin
requires that the Password Export Server (PES) tool from Microsoft’s
ADMT Version 2 be installed. Otherwise, it won’t be able to read
passwords. In addition, bv-Admin recommends changing default settings
in Windows 2003 to create more than 10 accounts during a migration, something
not done lightly. [This paragraph contains a corrected statement that
isn't reflected in the print issue.—Editor]
Bv-Admin’s features are extremely comprehensive, but far from intuitive.
Migration setup was complex and not always evident. Fortunately, bv-Admin
can automate the process through the SIDHistory Configuration tool. Though
there is no mention of Windows 2003 in the tool, it worked mostly well
in this environment.
Aelita Domain Migration Wizard (DMW)
Aelita’s Domain Migration Wizard (DMW) offers all the features required
to perform a directory migration. However, Don had to use two Aelita tools
to achieve his goals because DMW doesn’t include reporting by itself.
Instead, reporting is handled by Aelita’s powerful Enterprise Directory
Reporter (EDR). EDR can not only report on all aspects of the directory,
but also perform a comprehensive hardware and software inventory of the
entire network, making it useful even after the migration. EDR requires
either Microsoft’s desktop database engine (MSDE) or a full version of
SQL Server to operate.
DMW, on the other hand, requires the Microsoft Access 2000 runtime, because
each migration project is stored in its own database. Undo level is only
supported for an entire project. With DMW, you can begin a migration,
stop it in the middle, and start it over again exactly where it was stopped.
This is the only product that provides this feature. Though the interface
isn’t as intuitive as NetIQ’s, DMW includes a Quick Tour of the product,
letting users rapidly learn what steps are required to migrate (see Figure
4).
 |
| Figure 4. Aelita uses four steps to perform a
migration. Each is available in the Migration menu located in the
toolbar. Each migration is treated as a project, though only one project
can be loaded in the interface at a time. (Click image to view larger
version.) |
DMW proposes four simple steps towards a migration—migrate users, groups and computer accounts; support the interaction of users in both the source and target environment; deactivate source accounts; perform directory cleanup operations. DMW fully supports the migration of SID history. It also uses a nifty approach to the migration of computers from one domain to another, simply replacing key Registry entries to move the system from the source to the target domain without requiring a reboot. Computer migration, however, requires you to either have all systems turned on before the migration, or provide the Aelita Agent Manager with a list of systems. If the latter is chosen, Agent Manager will continue to retry systems that are turned off until they’re turned on again.
DMW comes with a thorough resource kit with all sorts of utilities, including a tool that demotes NT domain controllers to member servers.
Though DMW provides comprehensive reporting through the ERD, it doesn’t
support migration testing. It supports migration through groups, though
not in a very intuitive way. In fact, Don missed this feature in his first
tests and was only able to find it after researching the documentation.
The product is powerful and feature complete, but not intuitive. And DMW
doesn’t install as an MSI, using an outdated setup. Though it’s understandable
that Aelita doesn’t want to invest further in this product, as it’s aimed
at NT and the company has a new AD-focused tool, converting the install
would be a good idea.
Quest Fastlane Migrator
Quest Fastlane Migrator is also an MSI installation, providing a quick
and simple installation process. Once installed, Migrator is easy to use.
When launched, it automatically displays the Migration Project interface,
giving clear instructions on how to proceed. Don didn’t even need the
user manual to begin his first migration testing project. Quest presents
each aspect of a migration project in a step-by-step format. For Quest,
three steps are required: First, migrate accounts and groups; next, update
resources such as computers and servers; finally, clean up the directory.
Each task includes clear and detailed instructions presented in the details
pane of Migrator’s Project Microsoft Management Console (MMC) interface
(see Figure 5). For reports, you have to close the project you’re working
on and use the NT Reporter from the Migrator console. NT Reporter can
report on a variety of objects in the NT domain: users, computers, groups,
NTFS permissions and more. Since it’s slow, it may be a good idea to launch
and let the report run through the night if your network includes several
thousand objects. There seems to be no way to limit the number of user
accounts analyzed by this reporting tool. Once complete, the report is
quite detailed. Reports are stored within MSDE or SQL Server, which need
to be installed prior to the Migrator installation.
 |
| Figure 5. Quest Migrator provides an intuitive
interface that outlines the steps required for a migration. For Quest,
only three steps are required. (Click image to view larger version.) |
Migrator comes with a resource kit with several useful tools. One of these is the DC Mover, which migrates DCs from source domains to target domains without losing any of the permissions stored on the server. This is great for multipurpose DCs that also host file and print services. The resource kit also includes a Laptop Updater, designed to create migration jobs that can be run when laptops aren’t connected to the network. The Remote Update can also run jobs remotely without having to install an agent on the remote computer. The SIDHistory Mapper can remap SIDs to accounts that have been previously migrated without history.
The only drawback of Quest Fastlane Migrator is that it must use the
ADMT Password Export Server to be able to handle password migrations,
requiring the installation of a special server to support this aspect
of the migration (see online review of ADMT). The PES software is included
on the Quest CD. Despite this, Don found Migrator to be a feature-rich
product with an intuitive interface that makes migrations easy for newcomers
and experienced users alike.
| Managing
SID History |
| Each account created in a Windows domain is given
an individual security identifier (SID). The SID is a number
that is randomly generated when a security principal— a user
or computer account, a security group—is created. Though people
deal with account and group names, Windows works with the SID.
When a user creates or modifies objects in a network, it’s the
SID that is associated with the object, not the user’s name.
When you migrate a security principal from one domain to another,
you assign a new SID to the security principal.
As all a user’s data is associated with the SID that represents the user at the time an object is created, all of a user’s data in the source network will be associated with the user’s legacy SID. When you transfer this data to the new network, you must use a special technique that will either carry over the user’s legacy SID or translate the SID on the object to the user’s new SID (the one generated by the new network). Active Directory includes an attribute called SIDHistory. This attribute retains the user’s legacy SID when the user account is migrated. This way a user has access to objects created in the source network even if they have been migrated to the target network (this also requires a tool that can migrate files and folders but retain the original SIDs). Once the objects are migrated, you need to remove the SID history.
The best way to do this is to use SID
translation. This operation removes the original SID
from an object’s properties and applies the new SID.
Once this is done, you can remove the user’s SID history
attribute. This helps create a more secure network because
malicious users could use the SID history attribute
to gain unauthorized access to resources.
—Danielle Ruest and Nelson Ruest
|
|
|
Don’s Final Evaluation
To prepare his final report, our fictional IT manager tabulated all the
results of his product tests and placed them in a comparative table (Table
1). This gave him an overview of the technical capabilities of each product.
He then calculated the cost for each migration tool based on the information
provided by each respective product manufacturer. This was as simple as
multiplying the number of users accounts (1,255) Don needs to migrate
by the cost per user. The results were extremely varied. Quest Fastlane
Migrator was $12,550; the Aelita Controlled Migration Suite was $15,060;
bv-Admin for Windows Migration was $12,487.25; and NetIQ Domain Migration
Administrator was $3,765.
For Don, the decision was very easy. Even though it was not his first choice, he opted for NetIQ Domain Migration Administrator because it was the easiest to support in his business case. In fact, he decided to recommend the acquisition of the entire NetIQ Migration Suite because for a total of $7,530, he would not only get the Domain Migration Administrator, but also the Server Consolidator as well as Exchange Migrator.
Don was disappointed that Quest Fastlane Migrator was so expensive (more
than $12,500), because he really liked its approach to migration, providing
clear, concise steps for each phase of the project. Its reporting capabilities
were also quite acceptable, but it will be impossible for Don to make
a business case that recommends Quest Fastlane Migrator, when NetIQ provides
most of the same functionality for a much lower price.
He may, however, decide to acquire Aelita’s Enterprise Directory Reporter
on its own since he was thoroughly impressed by its directory reporting
and inventory features—features that could be useful in the new network.
BindView’s bv-Admin supported all three of T&T’s testing goals—reporting,
testing and migrating—as well as single object undoes. The cost of bv-Admin,
however makes it difficult to justify. Don has decided that for less than
the cost of a new server, he can acquire the NetIQ Migration Suite, giving
three useful migration tools for his migration today and still be useful
for the support of other operations later.
| Table 1. Migration
Tool Evaluation |
| Activity |
Aelita
Controlled Migration Suite |
BindView
bv-Admin for Windows Migration |
NetIQ
Domain Migration Administrator |
Quest
Fastlane Migrator |
| Profile Translation Support |
|
|
|
|
| Print Migration |
|
|
|
|
| MMC Taskpad |
|
|
|
|
| Multiple Domain Support |
|
|
|
|
| MSI Installation |
 |
|
|
|
| SID History Support |
|
|
|
|
| SID History Cleanup |
|
|
|
|
| Migration Reporting |
|
|
|
|
| Migration Testing |
X
|
|
|
|
| User Settings Support |
|
|
|
|
| Documentation Format |
PDF, Compiled
Help |
PDF, Compiled
Help |
Word, Compiled
Help |
PDF, Compiled
Help |
| Database Support |
Access 2000,
MSDE, or SQL |
Access |
Access |
SQL or MSDE |
| Delegation of Migration Task |
|
|
|
|
| Two-way Trusts Required |
|
|
|
|
| Move to Specific Destination
(OU) |
|
|
|
|
| Capacity to Create an OU during
the move |
|
|
|
|
| Undo Capability |
At the session
level |
At the object
level |
At the object
level for projects |
At the object
level |
| Resource Kit |
|
X
|
|
|
| Tutorials or Quick Start Guides |
|
Tutorial |
Knowledge Base |
|
| Support for Migration Project |
|
|
|
|
| Source Domains |
NT, 2000, 2003 |
NT, Proprietary
NT OUs, 2000, 2003 |
NT, 2000, 2003 |
NT, 2000, 2003 |
| Target Domains |
NT, 2000, 2003 |
NT, 2000, 2003 |
NT, 2000, 2003 |
NT, 2000, 2003 |
| Scripting support |
VBScript |
X
|
VBScript, JScript |
With support
from Professional Services Group |
| Command-line support |
|
Obtain from Tech
Support |
|
Obtain from Professional
Services Group |
Legend:
Provides full functionality
Provides partial functionality
X Does not
provide any functionality |
|
|
|