Interoperabilidad de NT 4.0 y Windows Server 2003 Active Directory

Presentación del tema: "Interoperabilidad de NT 4.0 y Windows Server 2003 Active Directory"— Transcripción de la presentación:

1 Interoperabilidad de NT 4.0 y Windows Server 2003 Active Directory
KEY MESSAGE: This Microsoft TechNet session is on Windows NT 4.0 and Windows Server 2003 Active Directory Interoperability. SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this Microsoft TechNet session on Windows NT 4.0 and Windows Server 2003 Active Directory Interoperability. My name is {insert name}. SLIDE TRANSITION: Let’s take a look at what we will cover in this session. Raúl Andrés Palacios Especialista Tecnológico Microsoft Chile

2 Lo que vamos a cubrir: Relaciones de confianza
Utilizar el Dimensionador de Active Directory Métodos de resolución de nombres Migración de cuentas Replicación de Windows NT 4.0 y Windows Server 2003 Interoperabilidad y Replicación de Scripts de Inicio Interoperación de las políticas del sistema y de grupo KEY MESSAGE: This is what we will cover in this session SLIDE BUILDS: None SLIDE SCRIPT: This session will cover trust relationships, using the Active Directory Sizer tool, name resolution methods, migrating accounts from Windows NT 4.0 to Windows Server 2003, Windows NT 4.0 and Windows Server 2003 directory and file replication, and system and group policy interoperation. SLIDE TRANSITION: Now let’s look at the prerequisites for this session.

3 Prerrequisitos Experiencia en soporte a los servidores NT 4.0 Experiencia en soporte a los dominios NT 4.0 Experiencia en soporte a la Replicación de dominios Familiaridad con la interfaz gráfica de Windows Server 2003 Familiaridad con los conceptos de Active Directory KEY MESSAGE: To get the most out of this session, you should meet the prerequisites outlined on this slide. SLIDE BUILDS: None SLIDE SCRIPT: To get the most out of this session you should have: Experience supporting NT 4.0 Servers Experience supporting NT 4.0 Domains Experience supporting domain replication Be familiar with the Windows Server graphical user interface Be familiar with Active Directory concepts SLIDE TRANSITION: Let’s look at the agenda for this session. Nivel 200

4 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: This is the agenda for this session, the first agenda topic is creating trust relationships. SLIDE BUILDS: None SLIDE SCRIPT: The agenda for this session includes: Creating trust relationships Using Active Directory Sizer Verifying name resolution Using the Active Directory Migration Tool Directory replication File replication System and group policies Logon scrip interoperability This first agenda topic is creating trust relationships SLIDE TRANSITION: So, when do you need trust relationships?

5 Crear relaciones de confianza ¿Cuándo necesita relaciones de confianza?
Las confianzas le permiten Acceder a los recursos en todos los dominios en su empresa Experiencia de inicio de sesión único Actualizar de NT 4.0 a Windows Server 2003 Las confianzas se mantienen Migrar a una nueva estructura de dominio Oportunidad de reestructurar el dominio Crear confianzas entre dominios nuevos y dominios antiguos Proporciona acceso a los recursos durante la migración KEY MESSAGE: Trust relationships are important when upgrading your domain from Windows NT 4.0 to Windows Server 2003 and when migrating to a new domain structure in Windows Server 2003 SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] Trust relationships connect domains and allow users to access resources such as file shares that exist in other domains. With trusts in place, users and administrators can access resources with a single logon. [BUILD 2] When upgrading your domain from Windows NT 4.0 to Windows Server 2003, existing trust relationships are preserved in tact and continue to will allow you access to necessary information on trusted domains in your enterprise, before, during, and after the transition. [BUILD 3] Trusts are also needed when migrating an existing Active Directory domain to a new domain structure. This scenario is common in a merger or acquisition. The trust relationship allows you to access resources in the domains you’re migrating from while the migration is ongoing. SLIDE TRANSITION: How do you create a two-way trust relationship between a Windows NT 4.0 and a Windows Server 2003 domain? ADDITIONAL INFORMATION FOR PRESENTER: Trust relationships:

6 Crear relaciones de confianza Crear confianza bidireccional
Windows NT 4.0 Usar el administrador de usuarios para dominios Agregar dominios confiables y de confianza La contraseña de confianza debe ser la misma para ambos dominios Windows Server 2003 Utilizar dominios y confianzas de Active Directory. La contraseña de confianza debe concordar Validar la confianza después de crearla KEY MESSAGE: Trust relationships are created and managed using User Manager for Domains on Windows NT 4.0, and Active Directory Domains and Trusts on Windows Server 2003. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] A two-way trust is a trust relationship where both domains consider the other a trusted domain. To create a two-way trust on Windows NT 4.0, you use the User Manager for Domains tool and assign the other domain as both a trusted and a trusting domain. A trusted domain is a domain that is trusted by your domain, while a trusting domain is a domain allowed to trust you. When you create this trust, you will assign a trust password used by both domains in the trust. [BUILD 2] Trust relationships in Windows Server 2003 are established using the Active Directory Domain and Trusts tool. To create a two-way trust, you add the other domain as a trusted and trusting domain. The trust password must be the same on both domains. [BUILD 3] Once the trusts have been created, you should verify that the trust has been successfully established on both domains. This function can be performed using Active Directory Domains and Trusts. SLIDE TRANSITION: Let’s look at a graphic example of a two-way trust between NT 4.0 and Windows Server 2003 domains. ADDITIONAL INFORMATION FOR PRESENTER: How TO:

7 Crear relaciones de confianza Una relación de confianza bidireccional
Dominio Windows NT 4.0 Dominio Windows Server 2003 KEY MESSAGE: A two-way trust relationships SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] Here is a Windows NT 4.0 domain. [BUILD 2] This is a Windows Server 2003 Domain. [BUILD 3] The trusts are created in the Windows NT 4.0 domain and the Windows Server 2003 domain. Once the trust relationship has been established, users will be able to access resources in both domains. This is a two-way trust relationship. SLIDE TRANSITION: Now let’s look at the details of establishing a two-way trust relationship. ADDITIONAL INFORMATION FOR PRESENTER: Los usuarios ahora pueden acceder a los recursos en ambos dominios

8 Demostración 1 Crear relaciones de confianza Crear y verificar relaciones de confianza
KEY MESSAGE: In this demonstration you will see how to create and verify a two-way trust between a Windows NT 4.0 and Windows Server 2003 domain. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will see how to create and verify a two-way trust relationship between a Windows NT 4.0 and Windows Server 2003 domain. SLIDE TRANSITION: Now lets move on to the next agenda item.

9 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is using the Active Directory Sizer tool. SLIDE BUILDS: None SLIDE SCRIPT: The next agenda item is using the Active Directory Sizer tool plan domain controller requirements for an Active Directory deployment. SLIDE TRANSITION: Let’s take a look at the Active Directory Sizer tool.

10 Utilizar el Dimensionador de Active Directory Para implementar el controlador de dominio
Herramienta independiente disponible para descarga Planear el tamaño y número de los controladores de dominio Planear con base en Número de usuarios, PCs y otros objetos de Active Directory Actividad del usuario durante horas pico Hardware disponible y uso deseado de CPU Expiración de la contraseña de la cuenta Otros criterios KEY MESSAGE: The Active Directory Sizer tool helps you plan your enterprise needs when migrating to a Windows Server 2003 Active Directory domain. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD 1] Active Directory Sizer is a stand-alone tool available for download from Microsoft. It can be used to plan for the size and number of domain controllers in your enterprise when migrating to a Windows Server 2003 Active Directory. [BUILD 2] This tool helps you plan enterprise needs based on The number of users, computers, and other objects that will be in Active Directory. These numbers affect the size of the Active Directory database. User activity during peak hours. This affects domain controller utilization Server hardware available and the maximum desired CPU usage. This is helpful when you want to continue to use existing server hardware in the new domain structure. Account password expiration length. This is included because the frequency with which users are required to change passwords will impact domain controller utilization. Other criteria such as the number a groups an average user will belong to, the frequency in which DCHP leases are renewed (since DNS data can be stored in Active Directory, and since clients and DHCP servers will update DNS Servers with registrations and deregistrations when IP Addresses change, the DHCP lease time impacts Active Directory activity and domain controller performance), and more. SLIDE TRANSITION: What kind of information does Active Directory Sizer tell you? ADDITIONAL INFORMATION FOR PRESENTER: ADSizer:

11 Utilizar el Dimensionador de Active Directory Lo que le informa ADSizer
El hardware que necesitará Número de controladores de dominio Número de servidores de catálogos globales. Requerimientos del sistema Memoria, espacio en disco, conectividad a la red, etc. Si los controladores de dominio existentes funcionarán O si se deben actualizar Útil en los escenarios de fusión KEY MESSAGE: Active Directory Sizer uses the information you supply to calculate the size and amount hardware you’ll need for domain controllers and global catalog servers. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] Using the information you supply, Active Directory Sizer generates a report that tells you the number of domain controllers you will need, the number of global catalog servers, and the system requirements such as memory, disk space, and network card capability. [BUILD 2] It will also let you know if your current domain controllers have the capacity to run Active Directory in a domain of the size you have specified, or if you need to be upgraded. [BUILD 3] This tool can be helpful during a merger or acquisition scenario, where existing domain infrastructure may change significantly. SLIDE TRANSITION: Let’s look at an example of Active Directory Sizer output. ADDITIONAL INFORMATION FOR PRESENTER: ADSizer:

12 Objetos de espacios de nombre Controladores de dominio
Utilizar el Dimensionador de Active Directory Resultado del dimensionador de Active Directory Número total de Objetos de espacios de nombre KEY MESSAGE: Sample Active Directory Report SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] This is a sample report from Active Directory Sizer. [BUILD 2] Notice that the data listed includes the total number of namespace objects… [BUILD 3] The domain database and global catalog size… [BUILD 4] The total number of users… [BUILD 5] And the number of domain controllers, bridge heads, and global catalogs. SLIDE TRANSITION: Now let’s examine Active Directory Sizer more closely. ADDITIONAL INFORMATION FOR PRESENTER: ADSizer: Tamaño de la base de datos del dominio y Tamaño de los catálogos globales Número de usuarios Controladores de dominio Catálogos globales

13 Demostración 2 Utilizar el Dimensionador de Active Directory Planear y ajustar el tamaño de su dominio Active Directory KEY MESSAGE: In this demonstration you will see how to use the Active Directory Sizer utility to plan and size the number of Active Directory domain controllers. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will see how to use the Active Directory Sizer utility to plan and size the number of Active Directory domain controllers. SLIDE TRANSITION: Now lets move on to the next agenda item.

14 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is verifying name resolution. SLIDE BUILDS: None SLIDE SCRIPT: In this next agenda item, you’ll see how to verify that name resolution is functioning properly. SLIDE TRANSITION: Let’s take a look at the different name resolution methods used by Windows NT 4.0 and Windows Server 2003.

15 Verificar la resolución de nombres Métodos de resolución de nombres
WINS – Servicio de nombre de Windows Internet Se utilizan en Windows NT 4.0 y anteriores DNS – Sistema de nombre de dominio Se utiliza en Windows 2000 y posteriores, incluyendo Windows Server 2003 La forma preferida para localizar controladores de dominio El ambiente mixto debe soportar ambos KEY MESSAGE: WINS and DNS are both important for name resolution. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] WINS, or Windows Internet Name Service, is a NetBIOS name server. Microsoft servers and clients register their computer names in the WINS database. Domain records that identify domain controllers and master browsers are also registered in the WINS database. Clients, servers, and domain controllers use WINS to locate other domain controllers. [BUILD 2] DNS, or Domain Name System, is required for name resolution in Active Directory. Windows Server 2003 domain controllers use DNS to locate other domain controllers. Windows 2000 and later clients user DNS as their primary method of name resolution. They also use WINS, but as a secondary method of name resolutions. Windows Server 2003 domain controllers register in the WINS database to preserve backward compatibility with previous operating systems. [BUILD 3] In an environment where Windows NT 4.0 and Windows Server 2003 interoperate, you need to support both WINS and DNS name resolution methods to support all types of clients. SLIDE TRANSITION: Let’s take a closer look at WINS. ADDITIONAL INFORMATION FOR PRESENTER: Name resolution:

16 Verificar la resolución de nombres Servicio de nombre de Windows Internet (WINS)
Para la resolución de nombre NetBIOS Se requiere cuando se comunica con los sistemas operativos previos a Windows 2000 Los controladores de dominio se deben registrar con la base de datos WINS Permite a los clientes localizar los controladores de dominio Se deben registrar los siguientes registros 1Bh - Explorador maestro de dominio 1Ch - Controlador de dominio KEY MESSAGE: WINS is for NetBIOS name resolution. Domain controllers register with the WINS database which creates specific records that are key for locating domain controllers. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD 1] WINS is for NetBIOS name resolution which maps a NetBIOS names (computer names) to and IP address. A NetBIOS name is either or unique or group name used to identify a NetBIOS resource on the network. Microsoft operating systems use WINS to locate domain controllers and other domain resources. Pre-windows 2000 operating systems must have WINS in a subnetted TCP/IP environment. [BUILD 2] When you configure a WINS server address on the TCP/IP properties of a domain controller, the server will register its address with the WINS database. Several important records are created in the database including the Domain Master Browser record and the Domain Controller record. SLIDE TRANSITION: Let’s take a closer look at DNS. ADDITIONAL INFORMATION FOR PRESENTER:

17 Verificar la resolución de nombres Sistema de nombre de dominio (DNS)
Se requiere para los dominios de Active Directory Los controladores de dominio de Windows Server 2003 se deben registrar en DNS Permite a Windows 2000 y a los servidores y clientes posteriores localizar los controladores de dominio Registros que se requieren de DNS para Active Directory SRV (Registros de localizador del servicio) Kerberos - se utiliza para autenticación LDAP - se utiliza para encontrar recursos publicados Otros registros KEY MESSAGE: Windows Server 2003 domain controllers use SRV records to locate other domain controllers. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] In an Active Directory domain environment, DNS is required for name resolution. [BUILD 2] Windows Server 2003 domain controllers must register in DNS. This allows other Windows 2000 and later servers and clients to locate domain controllers. [BUILD 3] When an Active Directory domain controller registers in DNS, some important records are created. These are called Service Locator Records (SRV) and include Kerberos, used for authentication, and LDAP, used to find published resources such as printers and other Active Directory objects. Additional records identify global catalog servers, domains, and other domain related services. SLIDE TRANSITION: Let’s look at some command line tools that are helpful when troubleshooting name resolution problems. ADDITIONAL INFORMATION FOR PRESENTER:

18 Verificar la resolución de nombres Herramientas de línea de comando
NSLOOKUP Muestra información de los servidores DNS Consulta por tipo de registro, etc. Puede determinar si los controladores de dominio de Active Directory están registrados en DNS correctamente NBTSTAT Utiliza NetBIOS sobre TCP/IP para resolver nombres para las direcciones IP Se utiliza para la resolución de nombres, renovar registros WINS, etc. KEY MESSAGE: NSLOOKUP and NBTSTAT are two command line tool that can be used to diagnose DNS and WINS problems. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD 1] NSLOOKUP is diagnostic tool that displays information from DNS name servers. With this tool you can query by record type and look up specific records to verify that Windows Server 2003 domain controllers are correctly registered in DNS. [BUILD 2] NBTSTAT displays protocol statistics and TCP/IP connections using NBT (NetBIOS over TCP/IP). It can be used to list a computer’s NetBIOS name table and NetBIOS name cache, as well as to renew WINS registrations. SLIDE TRANSITION: Now let’s look at how to verify name resolution. ADDITIONAL INFORMATION FOR PRESENTER:

19 Demostración 3 Verificar la resolución de nombres Verificar la resolución de nombres WINS y DNS
KEY MESSAGE: In this demonstration you will see how to verify WINS and DNS name resolution is configured correctly and functioning properly. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will see how to verify WINS and DNS name resolution is configured correctly and functioning properly. SLIDE TRANSITION: Now lets move on to the next agenda item.

20 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is using the Active Directory Migration Tool. SLIDE BUILDS: None SLIDE SCRIPT: The next agenda item is the Active Directory Migration tool. SLIDE TRANSITION: Let’s look at the Active Directory Migration Tool.

21 Herramienta de migración de Active Directory v2 Descripción general de ADMTv2
Interfaz gráfica Migra cuentas de usuarios, grupos y PCs Migra información de seguridad Realiza migraciones de prueba Útil durante Migración a Windows Server 2003 Reestructuraciones, adquisición o fusión KEY MESSAGE: This is a brief overview of some of the features and uses of ADMTv2 SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD 1] The Active Directory Migration Tool include on the OS media CD. It has an easy to use graphical interface that allows you to migrate user accounts, groups, and computer accounts to Active Directory domains. The tool will also analyze the migration impact both before and after the actual migration process. [BUILD 2] This tool is helpful during a domain restructuring or after a merger or acquisition, where user, group, and computer accounts need to be moved from one domain to another. SLIDE TRANSITION: Let’s look at one of the new features of ADMTv2: the Reporting Wizard

22 Herramienta de migración de Active Directory v2 Reportes
Nueva función en ADMT v2 Le permite ver reportes sobre Cuentas de usuarios y grupos migradas Cuentas que han expirado Permisos de cuenta en una PC específica Conflictos de nombre de las cuentas Genera y guarda las páginas Web Formateadas para una vista fácil KEY MESSAGE: The Reporting Wizard is a new feature and generates easy-to-read Web pages SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] The Reporting Wizard is a feature that is new to ADMT. [BUILD 2] The Reporting Wizard will summarize the results of the user and group migration operations, list accounts with expired passwords, list accounts that are assigned permissions to resources on a specified computer, and list any user accounts and groups that exist in both the source and target domains. [BUILD 3] Each report will automatically generate and save an easy-to-read Web page with the report results. SLIDE TRANSITION: Let’s look at some of the other new features of ADMTv2

23 Herramienta de migración de Active Directory v2 Otras funciones nuevas
Migración de contraseña Múltiples archivos de registro de migración Correlación de SID Exclusión de atributos de Windows 2000 KEY MESSAGE: Here are some of the other new features of ATMDv2 SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD 1] Passwords can now be migrated for interforest user migrations. ADMT uses a Password Export Server (PES) in the source domain to perform that migration. [BUILD 2] In ADMTv2, a new log file is created for every migration. In the old version, a single log file was used and migration information was appended. [BUILD 3] The SID mapping feature will translate ACLs to the new SIDs of migrated user accounts, in effect keeping the permissions intact on the new accounts. [BUILD 4] This is used for interforest migrations. Windows 2000 attribute exclusion feature allows you to define a list of attributes to be excluded when user, group or computer objects are migrated. Some attributes are always excluded (Object GUID, pwdLastSet etc). Administrators can set a per-migration attribute exclusion list using the Object Property wizard page in ADMT. This wizard displays only the attributes that are found in both the source and target domains. The administrator then has the option to choose which attributes are excluded for this individual migration only. SLIDE TRANSITION: Now let’s the user migration process

24 Herramienta de migración de Active Directory v2 Migrar cuentas de usuario
Debe existir una confianza de dos vías entre el dominio fuente y el objetivo Opciones para la migración Especificar el contenedor al que se va a migrar Generar una contraseña compleja o migrar la existente Preferencias en los clonflicots de nombre Traducir los perfiles de usuario móvil Fijar los grupos asociados con los usuarios Cerrar la cuenta migrada o dejarla abierta Agregar sufijo o prefijo a la cuenta migrada Revisar los registros después de la migración KEY MESSAGE: There are several options you can configure when migrating users with ADMT SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] A two-way trust is important, as it will enable you to perform administrative tasks on either domain, such as migrating users. [BUILD 2] When migrating a user account, there are several options you can specify such as: What container or Organizational Unit, to migrate the new account to. Whether to generate a complex password, or migrate the existing one. What to do if a naming conflict arises, such as if the domain you are migrating to already has an account of the same name. Migrating roaming profiles The fix users’ group membership option allows you to add migrated user accounts to target domain groups if they were members of that group in the source domain The option to rename the migrated account by adding a suffix or prefix to the name. [BUILD 3] After the migration is complete, you should review the migration log to check for any problems that may have occurred. SLIDE TRANSITION: Now let’s look take a closer look at the Active Directory Migration version 2

25 Demostración 4 Utilizar la herramienta de migración de Active Directory Migrar usuarios con la Herramienta de migración de Active Directory KEY MESSAGE: In this demonstration you will learn how to use the Active Directory Migration Tool to migrate user accounts, groups, and computer accounts from a Window NT 4.0 domain to a Windows Server 2003 Active Directory domain, and to analyze the migration impact both before and after the actual migration process. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will learn how to use the Active Directory Migration Tool to migrate user accounts, groups, and computer accounts from a Window NT 4.0 domain to a Windows Server 2003 Active Directory domain, and to analyze the migration impact both before and after the actual migration process. SLIDE TRANSITION: Now lets move on to the next agenda item.

26 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is directory replication. SLIDE BUILDS: None SLIDE SCRIPT: Now we’ll look at replication between NT 4.0 and Windows Server 2003 domain controllers. SLIDE TRANSITION: Now we will look at the Replication Monitor tool.

27 Replicación de directorios Monitor de Replicación
Utilidad de Herramientas de soporte de Windows Más flexible y funcional que las herramientas integradas Mejor pantalla gráfica Se utiliza para Ver el estado en detalle de Active Directory Forzar la sincronización Ver la topología de Replicación Monitorear el estado y el rendimiento de los controladores de dominio KEY MESSAGE: Replication Monitor is a Windows Support Tools utility that can be used to diagnose and troubleshoot replication. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD1] Replication Monitor is a Windows Support Tools utility that is more flexible and functional than built in tools and has a better graphical display. [BUILD2] Replication Monitor can be used to view the low-level status of Active Directory, force synchronization between domain controllers and across site boundaries, view replication topology in a graphical format, and monitor the status and performance of domain controllers. SLIDE TRANSITION: What are FSMO role holders? ADDITIONAL INFORMATION FOR PRESENTER: Command-line tools: Windows Support Tools Help file

28 Replicación de directorios Monitor de Replicación
Operaciones de maestro único flexible Las operaciones a nivel de bosque y de dominio son administradas por un solo controlador de dominio Los roles son Maestro de esquema Maestro de nombre de dominio Emulador del controlador de dominio primario (PDC) Maestro con ID relativo (RID) Maestro de infraestructura KEY MESSAGE: FSMO roles are held by operations masters that accept requests for specific forest- or domain-wide tasks. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD1] Active Directory supports multi-master replication of the directory data store between all domain controllers in the domain. Some changes are impractical to perform in multi-master fashion, however, so only one domain controller, called the operations master, accepts the request for such changes. Because the operations master roles can be moved to other domain controllers within the domain or forest, these roles are called flexible single master operations, or FSMO roles. [BUILD2] In any Active Directory forest, there are five operations masters roles that are assigned to one ore more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest. Every Active Directory forest must have the following roles. There can be only one of each such role in the entire forest: Schema master, which controls all updates and modifications to the schema. Domain naming master, which controls the addition or removal of domains in the forest. Every domain in the forest must have the following roles. There can be only one of each such role in each domain in the forest: Primary Domain Controller (PDC) master, which acts as a Window NT primary domain controller in a Windows Server 2003 and Windows NT mixed environment. The computer holding this role processes password changes from clients and replicates updates to Windows NT 4.0 backup domain controllers. Relative ID (RID) master, which allocates sequences of relative IDs to each of the various domain controllers in its domain. Infrastructure master, which is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. SLIDE TRANSITION: Now let’s look at transferring FSMO roles from one computer to another. ADDITIONAL INFORMATION FOR PRESENTER: FSMOS:

29 Replicación de directorio Transferir roles de FSMO
Operación necesaria al eliminar el controlador de dominio que retiene los roles desde el dominio Si no está disponible puede ajustar los roles de FSMO Transferir o ajustar los roles utilizando Usuarios y PCs de Active Directory Dominios y confianzas de Active Directory Administración del esquema de Active Directory NTDSUTIL - Utilidad de la línea de comando Cualesquiera o todos los roles FSMO KEY MESSAGE: There are several tools that you can use to transfer FSMO roles. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD1] Sometimes, a domain controller must be removed from the domain or decommissioned. If this computer happens to be a FSMO role holder, you should transfer any roles it holds to another domain controller before removing it from the domain. Transferring the role is not possible when the server has not been properly removed from the domain or is otherwise unavailable due to hardware failure. In that case you can seize the role rather than transfer it. [BUILD2] There are several tools you can use to transfer or seize FSMO roles. They are: Active Directory Users and Computers allows you to transfer the domain-specific roles RID master, PDC master, and infrastructure master. Active Directory Domains and Trusts allows you to transfer the forest-level role domain naming master. Active Directory Schema Management MMC console snap-in tool allows you to transfer the forest-level role schema master. The NTDSUTIL command line utility will allow you to transfer or seize any or all FSMO roles. SLIDE TRANSITION: Next we will look at synchronizing domain controllers. ADDITIONAL INFORMATION FOR PRESENTER: How to: How to:

30 Replicación del directorio Sincronizar controladores de dominio
Herramientas de Windows NT 4.0 Administrador del servidor Sincronizar todo el dominio Herramientas de Windows Server 2003 Sitios y servicios de Active Directory Aplicar la Replicación con otros controladores de dominio Monitor de Replicación NLTEST Utilidad de línea de comando Forzar sincronización completa o parcial KEY MESSAGE: Windows NT 4.0 uses Server Manager to synchronize domains, while there are several ways to do it in Windows Server 2003. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD1] If you wish to force synchronization in a domain rather than wait for it to occur at regular replication intervals, you can force synchronization and replication. For example, as an administrator you may change a password for a user in a remote location. Forcing synchronization will cause this change to be replicated to a remote domain controller more quickly. In Windows NT 4.0, this is done using Server Manager tool. [BUILD2] In Windows Server 2003 you can use Active Directory Sites and Services, or the Windows 2000 Support Tools utility Replication Monitor to force synchronization. There is also a command line tool called NLTEST that you can use to force full or partial synchronization. A full synchronization causes all Active Directory data to be replicated, while a partial synchronization replicates only data that has changed since the last replication. SLIDE TRANSITION: Now let’s look at synchronizing domain controllers. ADDITIONAL INFORMATION FOR PRESENTER: Windows Support Tools Help.

31 Demostración 5 Replicación del controlador de dominio Utilizar el monitor de Replicación para ver los retenedores de roles de FSMO y sincronizar los dominios KEY MESSAGE: In this demonstration you will use the Active Directory Replication Monitor tool to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology, and monitor the status and performance of domain controllers. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will use the Active Directory Replication Monitor tool to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology, and monitor the status and performance of domain controllers. SLIDE TRANSITION: Now lets move on to the next agenda item.

32 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is directory replication. SLIDE BUILDS: None SLIDE SCRIPT: Now lets look at file replication interoperability between Windows NT 4.0 and Windows Server 2003 domain controllers. SLIDE TRANSITION: Now we will look at the NETLOGON share.

33 Replicación de archivos Partición NETLOGON
Partición predeterminada que se utiliza para que los clientes de nivel inferior ejecuten secuencias de comandos para inicio de sesión y apliquen las políticas del sistema Windows NT 4.0 %systemroot%\system32\Repl\Import\scripts Windows Server 2003 Existe para compatibilidad hacia atrás %systemroot%\SYSVOL\sysvol\<DOMAIN NAME>\scripts KEY MESSAGE: The NETLOGON share stores logon scripts and system policies used by clients. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] The NETLOGON share is a default share used by the Net Logon server for processing domain logon requests. Logon scripts and system policy files are stored in this share. [BUILD2] In Windows NT 4.0 the path to this share is %systemroot%\system32\Repl\Import\scripts. [BUILD3] In Windows Server 2003 the path to the NETLOGON share is %systemroot%\SYSVOL\sysvol\<DOMAIN NAME>\scripts. This share exists for backward compatibility, to allow continued support for downlevel clients in a mixed environment. SLIDE TRANSITION: Now let’s look at the way file replication differs on Windows NT 4.0 and Windows Server 2003. ADDITIONAL INFORMATION FOR PRESENTER: Netlogon Share compatibility:

34 Replicación de archivos Diferencias en la Replicación de archivos
Windows NT 4.0 Utiliza el servicio de duplicador de directorio Windows Server 2003 Utilice el Servicio de Replicación de archivos (FRS) Los dos no son compatibles Se requieren otros pasos para duplicar archivos entre los dominios NT4 y Active Directory KEY MESSAGE: Windows NT 4.0 and Windows Server 2003 use different services for file replication. The two are not compatible. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Windows NT 4.0 uses the Directory Replicator Service for file replication. [BUILD2] Windows Server 2003 uses File Replication Service (FRS) for file replication. [BUILD3] The two services are not compatible, so additional steps are required in order to replicate logon scripts and policies files between NT 4.0 and Windows Server 2003 domain controllers in a mixed domain. The next slide will show one tool you can use to facilitate file replication between NT4 and Windows Server 2003. SLIDE TRANSITION: Let’s look at the LBRIDGE.CMD script. ADDITIONAL INFORMATION FOR PRESENTER: Troubleshoot FRS:

35 Replicación de archivos Secuencia de comandos LBRIDGE.CMD
Utilitario del kit de recursos de Windows Sincroniza las particiones NETLOGON Entre los Controladores de dominio de NT 4.0 y Windows Server 2003 Utiliza Xcopy o Robocopy Se puede programar mediante Tareas programadas KEY MESSAGE: LBRIDGE.CMD is a customizable Resource Kit script that copies files between Windows NT 4.0 and Windows Server 2003 domain controllers. SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD1] LBRIDGE.CMD is a customizable Windows Resource Kit script. [BUILD2] You use LBRIDGE to synchronize NETLOGON shares between Windows NT 4.0 and Windows Server 2003 Domain Controllers. [BUILD3] You can customize LBRIDGE to use either Xcopy or Robocopy to copy files between the NETLOGON shares. Xcopy is easy to use, and installed on all Windows operating systems, while Robocopy is a Windows Resource Kit utility that is more robust than Xcopy because it can be configured to copy only files that have changed. [BUILD4] You can use the Scheduled Tasks applet to help automate LBRIDGE. This will be shown in the next demo. SLIDE TRANSITION: Let’s look at configuring file replication between Windows NT 4.0 and Windows Server 2003 domain controllers. ADDITIONAL INFORMATION FOR PRESENTER: LBridge:

36 Demostración 6 Replicación de archivos Configurar la Replicación de archivos entre Windows NT 4.0 y Windows Server 2003 KEY MESSAGE: In this demonstration you will see how to replicate logon scripts between Windows 2000 and NT 4.0 computers. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will see how to replicate logon scripts between Windows Server 2003 and NT 4.0 computers. SLIDE TRANSITION: Now lets move on to the next agenda item.

37 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupos Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is system and group policies. SLIDE BUILDS: None SLIDE SCRIPT: Now let’s look at logon script and policy interoperability between Windows NT 4.0 and Windows Server 2003. SLIDE TRANSITION: First we will look at system policies.

38 Políticas del sistema y de grupo Políticas del sistema
Se utilizan en los dominios Windows NT 4.0 Utilice el Editor de políticas del sistema para administrar las políticas del sistema Aplique al usuario, grupo, PC o como política predeterminada que afecte a todos los usuarios del dominio Los archivos de la política se almacenan en la partición NETLOGON NTCONFIG.POL para NT y posterior CONFIG.POL para Windows 9x KEY MESSAGE: System policies are used in Windows NT 4.0 domains and saved in the NETLOGON share. SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD1] System policies are used in Windows NT 4.0 domains, although Windows 2000 and later operating systems will load and use existing system policies. System polices can be used to restrict access to certain applications or resources, or to force a custom client configuration, such as desktop icons or start menu shortcuts. [BUILD2] You use the System Policy Editor application to create, modify, and manage system policy files. [BUILD3] System polices can be applied to a specific user, group, or computer. You can also create a default system policy that will affect all users in the domain. [BUILD4] You store system policies in the NETLOGON share. Windows NT and later operating systems will recognize system policy files named NTCONFIG.POL, while Windows 9x-based operating systems use CONFIG.POL files. SLIDE TRANSITION: Next we will look at group policies. ADDITIONAL INFORMATION FOR PRESENTER:

39 Políticas del sistema y de grupo Políticas de grupo
Se utilizan en los dominios Windows 2000 y posteriores Incluyendo Windows Server 2003 Más robustas que las políticas del sistema Asignación y filtro más granular Se pueden asignar a Sitios Dominios Unidades organizacionales KEY MESSAGE: Group policies are used in Windows 2000 and later operating systems, and are more powerful than system policies. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Group policies are used in Windows 2000 and later domain environments, including Windows Server 2003. [BUILD2] You can use group policies to define default settings that will be automatically applied to users and computers. These settings can determine security options, software configuration, desktop settings and folder redirection. Software can also be deployed through group policies. Group polices are more robust than system policies because you have more granular control of where policies are applied, who they are assigned to, and the ability to filter policies. [BUILD3] Group policies can be assigned to the site, domain, or organizational units. SLIDE TRANSITION: Next we will look at how to migrate a system policy into a group policy. ADDITIONAL INFORMATION FOR PRESENTER: Group Policy Walkthrough:

40 Políticas del sistema y de grupo Migrar políticas del sistema
Servidor y cliente Windows 2000 y posterior Lee el archivo NTCONFIG.POL Las políticas del sistema siguen vigentes Reemplazan a las políticas de los grupos Utiliza GPOLMIG para migrar las políticas del sistema a las Políticas de grupo Utilidad del kit de recursos de Windows Herramienta de línea de comando Debe seguir el procedimiento de migración El procedimiento se muestra en la siguiente demo KEY MESSAGE: Windows 2000 and later operating systems will still enforce system policies. GPOLMIG can be used to migrate system policies to Group Policies. SLIDE BUILDS: 2 SLIDE SCRIPT: [BUILD1] Windows 2000 and later operating systems will still read and enforce system policy files, however and group policy in place will supersede a system policy. [BUILD2] The Windows Resource Kit includes a command line tool called GPOLMIG that you can use to migrate system policies to group policies. This detailed procedure will be shown in the next demo. You may wish to migrate system policies to group policies in order to preserve existing policy settings while taking advantage of Group Policy flexibility. SLIDE TRANSITION: Now let’s look how to migration system policies to group policies. ADDITIONAL INFORMATION FOR PRESENTER: Migrating Group Policies:

41 Demostración 7 Políticas del sistema y de los grupos Migrar políticas del sistema a las Políticas de grupo KEY MESSAGE: In this demonstration you will see how to migrate system policies from NT 4.0 to Windows Server 2003 Group Policies. SLIDE BUILDS: SLIDE SCRIPT: In this demonstration you will see how to migrate system policies from NT 4.0 to Windows Server 2003 Group Policies. SLIDE TRANSITION: Now lets move on to the next agenda item.

42 Agenda Crear relaciones de confianza
Utilizar el Dimensionador de Active Directory Verificar la resolución de nombres Herramienta de migración de Active Directory v2 Replicación de directorios Replicación de archivos Políticas del sistema y de grupo Interoperabilidad de Scripts de Inicio KEY MESSAGE: The next agenda item is logon script interoperability. SLIDE BUILDS: None SLIDE SCRIPT: Finally we’ll look at logon script interoperability. SLIDE TRANSITION: Now we will look at how to assign logon scripts in Windows NT 4.0 and Windows Server 2003.

43 Interoperabilidad de Scripts de Inicio Asignar Scripts de Inicio
Scripts de Inicio almacenados en la partición NETLOGON Scripts de Inicio en Windows NT 4.0 Se asignan en el Administrador del usuario para los dominios Botón de perfil en las propiedades del usuario Scripts de Inicio en Windows Server 2003 Se asignan en los usuarios y en las PCs de Active Directory Pestaña de perfil en las propiedades del usuario También se asignan a través de las políticas de grupo KEY MESSAGE: Logon scripts are stored in the NETLOGON share, and assigned using User Manager for Domains or Active Directory Users and Computers. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Logon scripts are stored in the NETLOGON share. [BUILD2] You assign logon scripts to users in Windows NT 4.0 using User Manager for Domains. You select the properties of the user you wish to add the logon script to and click the Profile button. [BUILD3] In Windows Server 2003 you use Active Directory Users and Computers to assign a logon script to a user. You can either select the Profile tab under user properties, or use group policies. SLIDE TRANSITION: Next we will look at assigning a Visual Basic script as a logon script. ADDITIONAL INFORMATION FOR PRESENTER:

44 Interoperabilidad de Scripts de Inicio Secuencias de comandos de Visual Basic como Scripts de Inicio
Windows NT 4.0 Sólo se permiten como Scripts de Inicio los archivos .BAT, .CMD, .EXE Windows Server 2003 Soporta la ejecución de secuencias de comandos .VBS Cómo utilizar las secuencias de comandos VB en NT 4.0 Cree un archivo de lote que ejecute .VBS Asigne el archivo de lote para la secuencia de comandos de registro del usuario KEY MESSAGE: Windows NT 4.0 will not execute .VBS scripts, but Windows Server 2003 will. Use a batch file to work around this. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Windows NT 4.0 will execute only .BAT, .CMD, and .EXE files as logon scripts. It will not recognize a visual basic .VBS file as a valid logon script. [BUILD2] Windows Server 2003 supports executing all valid NT 4.0 scripts as well as Visual Basic scripts. [BUILD3] You can execute a VB script file by embedding it in a .BAT file and assigning the batch file as a logon script. SLIDE TRANSITION: Now let’s look at how to configure logon script interoperability. ADDITIONAL INFORMATION FOR PRESENTER:

45 Demostración 8 Interoperabilidad de Logon Scripts Secuencias de comandos de Visual Basic como Scripts de Inicio en Windows NT 4.0 KEY MESSAGE: In this demonstration you see a workaround that allows you to run vbscript as logon scripts in NT 4.0. SLIDE BUILDS: None SLIDE SCRIPT: In this demonstration you see a workaround that allows you to run vbscript as logon scripts in NT 4.0. SLIDE TRANSITION: Now let’s review what we’ve talked about.

46 Resumen de la sesión Utilizar el Dimensionador de AD para planear su dominio Verificar la resolución de nombres Migrar a los usuarios con la Herramienta de migración de Active Directory Utilizar LBridge para revisar NT 4 en la Replicación de archivos de Windows Server 2003 GPolMig migra las Políticas del sistema a las Políticas de grupo Inicia la secuencia de comandos de registro de VB Script desde un archivo en lote en NT 4.0 KEY MESSAGE: These are the key points to take away from this session. SLIDE BUILDS: None SLIDE SCRIPT: These are the key points to take away from this session Use AD Sizer to plan your domain Verify name resolution Migrate users with the Active Directory Migration Tool Use LBridge to patch NT 4 to Windows Server 2003 File replication GPolMig migrates System Policies to Group Policies Launch VB Script logon scripts from a batch file in NT 4.0 SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:

47 Para mayores informes... www.microsoft.com/technet/tnt1-79
Sitio Web principal de TechNet Web en La página de recursos de esta sesión KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION:

48 Para mayores informes... Sitio Web de Windows Server 2003
Actualizar desde Windows NT KEY MESSAGE: These are some additional sites you can use to get more knowledge and information. SLIDE BUILDS: None SLIDE SCRIPT: These are some additional sites you can use to get more knowledge and information. The Windows Server 2003 Web Site at The Upgrading from Windows NT at SLIDE TRANSITION:

49