La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere


Presentaciones similares

Presentación del tema: "TNT1-99 KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT:"— Transcripción de la presentación:


2 Cómo migrar sus servicios de directorio Windows NT® 4
Cómo migrar sus servicios de directorio Windows NT® 4.0 a Active Directory™ KEY MESSAGE: Introduce the Session SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this Microsoft TechNet session on How To Migrate Your Windows NT® 4.0 Directory Services to Active Directory. My name is {insert name}. [Do not use the term FIELDCONTENT] SLIDE TRANSITION: So let us start with a look at what we will cover in this session. Microsoft Corporation

3 Lo que vamos a cubrir: Terminología de migración
Escenarios soportados de migración Cuándo y cómo actualizar Cuándo y cómo reestructurar Descripción general de la herramienta para la migración impulsada por procesos KEY MESSAGE: Explain what we will cover and the scope of the session. SLIDE BUILDS: None. Bullets come in automatically. SLIDE SCRIPT: In this session, we have a detailed look at how to migrate NT 4.0 resources, such as users, groups, computers and security principles into the Active Directory. The first thing to mention is that, while throughout this session you will see references to Windows Server 2003, a lot of the theory and techniques described are applicable to Windows 2000. And that applies to our first topic, terminology. This hasn’t changed between the two releases. The terminology is Active Directory-based, as we will see. We will look at the supported migration scenarios for moving resources, then look at the reasons to either upgrade an existing NT 4 environment to Active Directory or to restructure it. There are pros and cons to each, and while this session does not directly say to use one over the other, the aim is to give you the information to help you best make that decision for your environment. We will also see a lot of the migration tool through this session, as I’ll be using it extensively in a restructure demo. SLIDE TRANSITION: So what key knowledge is advantageous to getting the most from this session?

4 Prerrequisitos Esta sesión supone que usted tiene una comprensión básica de: Servicios de directorio de Windows NT 4.0 Active Directory™ KEY MESSAGE: What is advantageous to understand for this session? SLIDE BUILDS: None. Bullets automatically come in. SLIDE SCRIPT: As this is a migration session, we will be talking a lot about the directory service in both NT 4 and Windows Server products. So having an understanding of both will be an advantage. If you don’t have an understanding of the Active Directory, then I would suggest having a look first at the session Active Directory Fundamentals on TechNet. That session id is TNT1-98. SLIDE TRANSITION: So lets look at the agenda and dive right in. Nivel 200

5 Agenda Terminología de migración Escenarios de migración
KEY MESSAGE: Explain how the session breaks down. SLIDE BUILDS: None SLIDE SCRIPT: I’m really only going to talk about two areas, the terminology and the scenarios. But as you will see, the scenarios will be the majority of this session and I didn’t want to clutter up an agenda slide will lots of little items. SLIDE TRANSITION: We’ve got a lot of ground to cover in a short period, so lets start with the terminology.

6 Terminología de migración Términos
Migración de dominio Actualización Reestructura Modo mixto Windows 2000 y NT 4.0 Windows 2000, Windows Server 2003 y NT.40 Modo nativo Windows 2000 nativo Windows Server 2003 nativo KEY MESSAGE: Introduce the basic terms. SLIDE BUILDS: None SLIDE SCRIPT: The one thing Microsoft is good at, after creating software, is creating terms to describe that software. Each new release seems to also bring out a plethora of new acronyms, phrases, and other terminology. Well, migration has it’s fair share. Fortunately, when it really comes down to it, the two main terms to understand are Upgrade and Restructure. These two terms describer the two ways to migrate NT 4 resources to Active Directory. These two terms are not product-related or technology-related; they just describe the two types of migration you have to choose from. The Modes are product-related, and these describe the mode in which Windows 2000 or Windows Server 2003 operate. Even within these there are different modes. Windows 2000 supports the two modes while Windows Server 2003 supports three. We’ll come on to those in a bit. SLIDE TRANSITION: For now, lets concentrate on Restructure and, firstly, Upgrade. ADDITIONAL INFORMATION FOR PRESENTER:

7 Terminología de migración Actualizar
“Actualizar en el lugar” Ruta más fácil y con el menor riesgo Mantener la estructura existente KEY MESSAGE: Describe what an Upgrade is. SLIDE BUILDS: None SLIDE SCRIPT: We can define the term “Upgrade” as the process of upgrading the software on the Primary Domain Controller (PDC) of a domain, and upgrading some or all of the Backup Domain Controllers (BDCs), from Windows NT 4.0 to Windows 2000 or Windows Server Because this is an operating system upgrade rather than a fresh installation, the existing domain structure, users, and groups are maintained, though in the process new Windows Server features are enabled. In fact, the biggest distinction between upgrade and consolidation lies in the fact that, in upgrading, we are maintaining the existing domain structure. This means that Upgrade represents the easiest, least-risk migration route because it retains most of your system settings, preferences, and program installations. SLIDE TRANSITION: So how does this compare to restructure? ADDITIONAL INFORMATION FOR PRESENTER: MUD RES3 RES2 RES1 MUD Actualización RES1 RES2 RES3 Sugerencia: La mayoría de las organizaciones simplemente pueden actualizar en el lugar

8 Terminología de migración Reestructurar
“Consolidación” o “colapso” Mover los principales de seguridad entre dominios Diseñar un bosque ideal KEY MESSAGE: Describe what a restructure is. SLIDE BUILDS: None SLIDE SCRIPT: Domain restructure on the other hand is a process designed to allow you to redesign the forest according to the needs of your organisation. Though restructure can result in any number of different outcomes, typically the result is some rationalisation of the current structure, and perhaps a move to fewer larger domains. These domains represent your version of the “Pristine Forest” for your organisation. For a small organisation, it may mean a single domain. For a worldwide enterprise, it may mean fewer domains based around geographical boundaries. SLIDE TRANSITION: Let’s shed some light on the Mode terminology. ADDITIONAL INFORMATION FOR PRESENTER: compañ america.compañ europa.compañ MUD1 RES1 RES2 RES3 MUD2 Reestructurar Sugerencia: Al diseñar su bosque ideal, el tamaño SAM ya no es una restricción

9 Terminología de migración Modo mixto versus Modo nativo
Cesa la duplicación Netlogon Sin restricción del tamaño de SAM Están activados los nuevos tipos y funciones de grupo Grupos universales Grupos locales del dominio Grupos anidados Están activadas las confianzas transitorias de Kerberos Modo mixto No puede actualizar los servidores de aplicación Seguridad física inadecuada de BDCs Necesita replegar a Windows NT KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: When we talk about modes, there are two kinds—Mixed and Native. In the Windows 2000 world, this means simply that mixed mode is one or more Windows 2000 Domain controllers and one or more Windows NT 4.0 Backup domain controllers. Emphasis is on the Backup Domain controllers, as these are the key to mixed mode. A Windows 2000 Native mode environment simply means there are no NT 4.0 servers that hold a copy of the Domain’s SAM database. In other worlds, no Backup Domain Controllers. This does not exclude member servers as these expect to get the account information from another server to begin with. However, Native mode turns off the account replication between a Windows 2000 Domain controller and NT 4.0. In Windows Server 2003, mixed mode means exactly the same. The Native mode I’ve just described in Windows Server 2003 is call Windows 2000 Native mode, this supports both Windows Server 2003 Domain Controllers and Windows 2000 Domain controllers. There is a third mode for Windows Server 2003:Tthis is Windows Server 2003 Native mode. This mode supports some of the new features of the product, such as domain rename, that are not available in Windows 2000; therefore this mode purely means no Windows NT 4.0 or Windows 2000 servers are participating in account replication. When thinking about modes, there are some facts that come into play about choosing which mode to run in. Ideally, the goal should be to run in the native mode of the OS. However, there are times when Mixed mode is required; for example, you cannot upgrade application servers because these applications that must run on a BDC and for some reason they will not run on Windows 2000. Inadequate physical security of BDCs. Because of the single-master nature of Windows NT directory updates, you might be comfortable with comparatively relaxed security on your BDCs. If this is the case, you need to reconsider this when upgrading them to Windows 2000 DCs. Fallback to Windows NT remains necessary. One of the features of mixed mode, as will have become apparent, is the degree of backward compatibility. Mixed mode has the benefit of allowing new Windows NT BDCs to be added to the domain if a problem arises. If necessary, once the BDC has joined the domain, you could force a resynchronization of the account database. The first thing that Native mode does is stop Netlogon replication. You can no longer add new Windows NT BDCs to the domain. Which, from the last point on the Mixed mode list, negates the ability to fall back to NT 4.0 without some form of backup. However, there advantages of Native mode are that there are new group types such as universal and domain local groups, and group nesting, are enabled. The Windows NT maximum SAM size recommendation of 40 megabytes (MBs) is lifted. The ticket-based protocol Kerberos is enable. Kerberos is where users are issued Ticket Granting Tickets (TGTs). Ticket Granting Tickets contain authentication information about the user, which can then be presented back to the DC as part of requests for additional session tickets to connect to other servers in the domain. Once the user has been granted a TGT, subsequent checks are quick and efficient since the DC merely needs to decrypt the TGT to check the user’s credentials. Transitive or implicit trusts reduce the need for complex explicit trusts and reduce the administration required to maintain the explicit trusts. SLIDE TRANSITION: That’s the terminology out the way. Lets start looking at the types of migration that are supported. ADDITIONAL INFORMATION FOR PRESENTER:

10 Agenda Terminología de migración Escenarios de migración
KEY MESSAGE: Holding slide to enforce the transition from the previous slide. SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION:

11 Escenarios de migración Escenarios de migración soportados
Actualizar en el lugar Migrar a los usuarios y grupos Migrar los recursos KEY MESSAGE: Introduce the Migration Scenarios. SLIDE BUILDS: None SLIDE SCRIPT: So now let’s address the supported migration scenarios. As I mentioned earlier, I’m probably not going to describe an exact migration fit for each organization, but I will try and provide enough information to help you make the best choice for your organization. Although having said that, what we have typically found is that upgrade is typically best suited for small organizations and restructuring for large enterprises. SLIDE TRANSITION: So lets start with Upgrading in Place. ADDITIONAL INFORMATION FOR PRESENTER:

12 Escenarios de migración Cuándo actualizar en el lugar
¿Es su arquitectura existente de dominio una arquitectura de dominio óptima de Windows 2000? Sí  Actualización No  ¿Es aceptable una migración en dos fases? Sí  Actualice ahora, reestructure después No  No realice una actualización en el lugar KEY MESSAGE: So when would you upgrade in place? SLIDE BUILDS: None SLIDE SCRIPT: Well, if you are you happy with your existing domain structure, there is no reason to do anything other than upgrade. If, however, you are not happy with this structure and think that after reviewing the Active Directory you can come up with a better design, then next question to ask is, Can I spend the time now designing my environment or am I under pressure to install the Active Directory? If you need to install Active Directory now and don’t have time to redesign, then that’s again OK, you can perform a two-phased migration. Upgrade your domain now and the restructure later. This is when it is more advantageous to upgrade to Windows Server 2003 with it’s ability to rename domains and also the ability to move them around a bit. If you answered no to both questions, then a restructure is the way to go. SLIDE TRANSITION: So how do you upgrade in place? ADDITIONAL INFORMATION FOR PRESENTER:

13 Modelo de árbol y bosques de Windows 2000
Escenarios de migración Cómo actualizar en el lugar Modelo de árbol y bosques de Windows 2000 Arquitectura previa a Windows 2000 KEY MESSAGE: Upgrading in place, as then term implies is fairly straight forward SLIDE BUILDS: None SLIDE SCRIPT: This diagram illustrates converting from the Classic NT4 multi-master domain model where Users are grouped in Master User domains and resources are collected in Resource Domains, to the Windows 2000 model of trees of domains in a forest of trust. A significant difference between these two models is trust management. Before Windows 2000, a one way trust had to be explicitly established between a resource domain and every account domain containing users it trusted. Every Windows 2000 domain created or upgraded automatically establishes a two-way transitive trust between it and it’s new parent. 2-way trust means that resources in the new domain trust users from the parent domain AND vice verse, resources in the parent domain trust users from the child domain. The transitivity of this trust comes into play when accessing resources in a domain that is not your parent or child. Transitivity means: I not only trust you, I also trust everyone that you trust. E.g. Marketing not only trusts Users from North America, but it trusts users from New York as well, even though there’s no explicit trust This upgrade works in a similar fashion to the Single Domain Upgrade. In this case you must also specify where in the forest the domain will be located. SLIDE TRANSITION: So lets break the steps down. ADDITIONAL INFORMATION FOR PRESENTER: NORTE AMERICA NUEVA YORK NORTE AMERICA NUEVA YORK MARKETING RD2 RD3 MARKETING RD2 RD3

14 Escenarios de migración Actualización en el lugar
Actualice un PDC y cree la raíz del bosque Actualice los dominios de cuentas Actualice los dominios de recursos Actualice las estaciones de trabajo Actualice los servidores miembro KEY MESSAGE: So what do you have to do? SLIDE BUILDS: None SLIDE SCRIPT: You must upgrade the PDC first, then the BDCs. The question of which domain to upgrade first is more problematic, and the answer may vary depending on your circumstances. For example, if you are planning to restructure certain domains out of existence later, there might be little point in upgrading them first. Though your situation may change this, a general recommendation is that you should consider the following order for upgrading your domains: 1.   Account domains 2.   Resource domains Workstations and member servers can be upgraded at any time As a general rule, you will get the most benefit from upgrading your account domains earliest because in most cases there will be more users to administer than computers. By upgrading your account domains to Windows 2000 you will benefit from: Improved scalability of Active Directory - Many organizations are pushing the upper bounds of the recommended SAM size with their existing numbers of users and groups. Delegated administration – The ability to delegate administrative capability at very fine granularity, without the necessity to grant absolute power. Sugerencia: AD está expuesto a PCs con un nivel inferior como un dominio plano estilo Windows NT 4.0

15 Escenarios de migración Actualización en el lugar: Dominios de cuenta
Fase 1: Mitigue el riesgo y mantenga el control Dominios con menos usuarios; Controladores de dominio controlados por el equipo de migración Fase 2: Dominios de cuenta más grandes Fase 3: Dominios locales que se deben reestructurar KEY MESSAGE: Some guidelines for migrating the account domains. SLIDE BUILDS: None SLIDE SCRIPT: If you have more than one account domain, the following guidelines should help you choose in which order to upgrade them: Try to Mitigate risk and disruption and Maintain control. Though you will have tested your upgrade strategy in a lab or via a pilot, the first live migration will be the riskiest. To mitigate risk, you should upgrade domains where you have easiest access to the DCs. If there is more than one domain to choose from in any situation, upgrade the smallest first so that you minimize disruption to the most possible users, particularly while you are gaining experience of the process. Once you have gained experience of and confidence in the process, move onto the bigger account domains. If you are planning to restructure your domains, you should look to upgrade the likely targets of restructure early in the process. You cannot consolidate domains into a target that does not exist. SLIDE TRANSITION: So what about all those resource domains you may have? Are there guidelines for those? ADDITIONAL INFORMATION FOR PRESENTER: Sugerencia: Un administrador que trabaja con un cliente sin AD puede seguir utilizando las herramientas de administración de Windows NT 4.0

16 Escenarios de migración Actualización en el lugar: Dominios de recursos
Fase 1: Recursos donde lo solicitan las actualizaciones de aplicaciones Fase 2: Dominios con muchas estaciones de trabajo Fase 3: Dominios de recursos a reestructurar Fase 4: Dominios restantes KEY MESSAGE: Some guidelines for migrating the resource domains SLIDE BUILDS: None SLIDE SCRIPT: If you have more than one resource domain, the following guidelines should help you choose which order to upgrade them: First, you should upgrade domains where you are deploying applications that demand Active Directory, for example Exchange 2000 and 2003. Next, you should upgrade domains with many workstations, so that you can take advantage of Windows 2000 or Windows Server 2003 infrastructure features such as Group Policy. Just as with account domains, if you are planning restructure of your domains, you should look to upgrade the likely targets of restructure fairly early on. SLIDE TRANSITION: Finally, after account domains and resource domains, the only things left are the workstations and members servers. How do you migrate those? ADDITIONAL INFORMATION FOR PRESENTER: Sugerencia: No necesita completar una actualización del dominio de cuenta antes de empezar una actualización del dominio de recursos

17 Escenarios de migración Actualización en el lugar: Estaciones de
trabajo y servidores miembro Fácilmente actualizable en cualquier momento Razones para actualizar Capacidad de administración Soporte al sistema de archivos Servicios de aplicaciones Uso compartido y publicación de la información KEY MESSAGE: Some guidelines for migrating the workstations and member servers. SLIDE BUILDS: None SLIDE SCRIPT: The thing with member servers and workstations is that these can be upgraded at any time. In fact for workstations, there may even be a separate project just for those. Workstation upgrades affect a lot more users directly, what with a different interface and possibly upgraded Office applications. So while they can be done any time, it is probably best to do that separately. Member servers are similar to workstations in as much as they don’t really mind which OS they run or in which type of domain they run. The caveat to this are servers that run applications that need a specific OS running the domain or those that just get the best out of being in an Active Directory world, for example a RRAS Server. If you have one, it’s probably a member server. The Windows 2000 / Windows Server 2003 version of this is much more powerful and secure than the NT 4.0 version, and this should be one to look at first. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Sugerencia: Las estaciones de trabajo y los servidores miembro se pueden actualizar a Windows 2000 independientemente de la actualización del dominio

18 Escenarios de migración Actualización en el lugar
Saque de línea el BDC BDC Actualice el PDC Mixed Mode Windows NT4 Modo nativo Cambie a modo nativo KEY MESSAGE: Describe the different modes SLIDE BUILDS: None SLIDE SCRIPT: Before upgrading any machines in this domain, be sure to take an existing BDC offline. This machine will serve as a backup in case a rollback to the NT 4 state is necessary, so make sure it is synchronized before taking it offline. Begin by upgrading the PDC Prior to upgrade, you must know where the domain you are upgrading fits into the Windows 2000 hierarchy. Is this domain controller a forest root, a child domain, etc… After the PDC has been upgraded, what do downlevel DCs see? They see the NETBIOS name given to the Windows 2000 domain during setup. Upgrade one or more BDCs right away; don’t leave PDC as only upgrade Windows 2000 Clients “prefer” a windows 2000 domain controller – (and cache preference) so, upgrading another machine spreads the load This also enables Multi-master replication Administrators can make changes at any Windows 2000 DC - Any of these changes are replicated to the DC acting as PDC, and are then replicated to BDCs using netlogon replication More scalable, responsive for large domains w/many clients After the upgrades, DS enabled clients begin: Intelligently locating DCs using sites Using the DCs to find objects in the directory Non DS clients, continue to validate using NTLM against a Windows 2000 DC If you leave your domain in mixed mode (i.e. continue to have downlevel machines) you cannot take advantage of the nested Groups or Universal Groups – these features are available in Native Mode Only If you need to roll back from mixed mode, take the current PDC off the network or make it a BDC, put the offline BDC back online, promote it to PDC to fix remaining BDCs. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Actualice los BDCs PDC BDC BDC BDC

19 Escenarios de migración Cuándo reestructurar
Si la estructura existente del dominio Windows NT 4.0 no encaja en su estructura objetivo de dominio con Windows 2000 Si desea migrar gradualmente y proporcionar capacidades de repliegue para Windows NT 4.0 KEY MESSAGE: So we’ve looked at the reason to upgrade in place, and if that didn’t apply, then it’s a restructure? SLIDE BUILDS: None SLIDE SCRIPT: So the big reasons to restructure are either that the current domain structure does not meet the requirements of the business and a new structure would be most cost-effective and flexible, or that you want to have a fallback to the NT 4.0 environment if things do go pear-shaped. Once the new forest has been built, restructuring will begin with a pilot, where a number of users, groups, and resources are migrated to the new environment to act as an advance party, ensuring that business can carry on as normal in the new structure. On successful completion of this phase, the pilot will transition into a staged migration to the new environment. At some point, Windows 2000 will become the production environment. The old domain structure will be decommissioned, and the remaining resources will be redeployed. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Sugerencia: Su nueva arquitectura de dominio debe considerar los efectos de la duplicación

20 Escenarios de migración
Reestructurar con repliegue Metas Crear un ambiente “prístino” de Windows 2000 Se mantiene el ambiente de producción existente de Windows NT 4.0 Hacer el repliegue al ambiente Windows NT 4.0 Mantener el acceso a los recursos Realice una copia no destructiva (clon) KEY MESSAGE: So lets look at a restructure with fallback. SLIDE BUILDS: None SLIDE SCRIPT: In a nutshell, Domain upgrade is a process designed to maintain as much of your current environment as possible, including your domain structure. While Domain restructure, on the other hand, is a process designed to allow you to redesign the forest according to the needs of your organization. Though restructure can result in any number of different outcomes, typically the result is some rationalization of the current structure, and perhaps a move to fewer larger domains. In the past, there have been a number of third-party directory management tools that have provided domain-restructuring support for Windows NT. Now both Windows 2000 and Windows Server 2003 provide native functionality to enable domain-restructuring scenarios, namely: Security principals can be moved from one domain to another while maintaining pre-move access to resources. DCs can be moved from one domain to another without complete reinstallation of the operating system. There is also a graphical tool to make domain restructuring easier, together with some scriptable COM components and command line utilities to aid restructuring operations. In the up-and-coming demonstrations, the goals stated here are the goals the dummy company wishes to achieve. SLIDE TRANSITION: The main tool that we will use is the Active Directory Migration Tool. ADDITIONAL INFORMATION FOR PRESENTER: Sugerencia: Su nueva arquitectura de dominio debe considerar los efectos de duplicación

21 Escenarios de migración herramienta de migración de Active Directory
Impulsado por asistentes Ejecución de prueba Informes Capacidad de repliegue Auditoría El agente que vuelve a generar ACL se ejecuta en Windows NT 3.51, Windows NT 4.0 y Windows 2000 KEY MESSAGE: Introduce and talk about the ADMT. SLIDE BUILDS: None SLIDE SCRIPT: The Active Directory Migration Tool provides an easy way to migrate to the Active Directory. You can use this tool to diagnose any possible problems before starting migration operations to Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

22 Nuevo dominio para Europa
Escenarios de migración Escenarios de importadores a nivel mundial Dominio de cuentas en Londres KEY MESSAGE: The Wide World Importers Demo. SLIDE BUILDS: None SLIDE SCRIPT: The demonstration scenario that we will be using is to migrate the Wide World Importers London office NT 4 environment to Active Directory. In this example, the target system is Windows Server 2003. We won’t be doing the whole migration. Instead, we will work on the Call Centre group and migrate those users and groups over. We will also use the ADMT to ensure that the resources on the NT 4 file server that the call centre groups uses are still accessible while using the new Active Directory accounts. As we go through the demonstration, I’ll explain more. SLIDE TRANSITION: So let’s start with setting up the environment ready for the migration. ADDITIONAL INFORMATION FOR PRESENTER: Nuevo dominio para Europa Dominio de recursos en Londres.

23 demo Establecer la migración Cambiar los modos
Preparar para ejecutar la herramienta de migración de Active Directory KEY MESSAGE: Setting up for the migration demonstration. SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

24 Escenarios de migración Migrar usuarios de NT 4.0
1. Crear un nuevo bosque “prístino” de Active Directory Objetivo 2. Establecer las confianzas necesarias para mantener el acceso a los recursos 3. Clonar los grupos globales KEY MESSAGE: Migrating users to Active Directory. SLIDE BUILDS: 6 SLIDE SCRIPT: So lets look at migrating Users over from our NT 4 Domain. [BUILD 1] The first step to this process is to create the ideal or “pristine” Active Directory Forest. [BUILD 2] Next, to ensure that users in either environment can access the same resource from either their NT 4 account or their Active Directory account, we need to establish trusts between all the environments. [BUILD 3] Now we can use tools like the ADMT to migrate the Groups… [BUILD 4] …and the users. We could use the ADMT to do both at once, but this all depends on the environment. In the up-and-coming demonstration, this is what we will do. [BUILD 5] Finally, we could decommission the Account domain. SLIDE TRANSITION: Lets see an example of this in action. ADDITIONAL INFORMATION FOR PRESENTER: 4. Clonar el conjunto de usuarios 5. Terminar por sacar de servicio el dominio Fuente ¡Repliegue en cualquier momento! Dominio de recursos Dominio de recursos

25 demo Migrar a los usuarios
Crear contenedores para los usuarios migrados Migrar a los usuarios y a los grupos del centro de llamadas KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: In this demonstration, we will take a section of the user base—in this case, the Call Centre group of Wide World Importers—and migrate them over from the NT 4 environment into a new OU in the Active Directory. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

26 Unidad organizacional objetivo
Escenarios de migración Migrar los recursos de NT 4.0 1. Clonar los grupos locales 2. Degradar los servidores de aplicaciones 3. Mover los servidores KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: So we’ve seen users, now let’s talk about resources. [BUILD 1] The first step to this phase is to clone the locals that are used to assign permissions to. Remember from our Active Directory basics that Domain Local Groups are the group of choice when assigning local permissions, so we have to ensure they exist in the Active Directory. [BUILD 2] Next, demote the servers out of one domain… [BUILD 3] … and move them or add them to the new domain. [BUILD 4] Once all the resource have been moved, we can decommission the resource domain. SLIDE TRANSITION: Let’s move onto some Security concepts you need to be aware of when moving users—and we are not talking about the latest patches. This is how security principals are effected during migration. ADDITIONAL INFORMATION FOR PRESENTER: 4. Terminar por sacar de servicio el dominio fuente Dominio de cuentas Unidad organizacional objetivo Dominio de recursos

27 Escenarios de migración Conceptos importantes de Windows NT 4.0
LON-ACC\STEPHB LON-ACC LON-ACC\Call Centre All Miembros: LON-ACC\STEPHB KEY MESSAGE: So, starting on a security note, lets recap some important concepts to remember. SLIDE BUILDS: None SLIDE SCRIPT: Now that we’ve seen how users and computers are migrated, let’s cover how their security principals are migrated. But before we do that, let’s discuss how a user gains access to resources in NT4.0. We will use the Demo setup I have as the example. We have a typical Master User Domain (MUD) architecture – the domain is called AcctDomain. [BUILD 1] So we have the London Account domain… [BUILD 2] …with user Stephanie, who is the manager of the call Centre Team. [BUILD 3] She is therefore a member of the Call Centre All group. [BUILD 4] The resources for the London office live in one of the London Resource domains. In this case, Stephanie’s workstation and all the Call Centre documents, profiles, printers, etc., live here. Mainly off the Lonfilesrv01. [BUILD 5] There is a trust, which allows the resource domain to trust the account domain. [BUILD 6] The local group, Call Centre All , on the member server includes the global group from the account domain. [BUILD 7] There also exists a share on Lonfilesrv01, Docs, on the member server, that gives Call Centre All full control. [BUILD 8] When Stephanie logs on at her workstation, it is using the Account domain account. [BUILD 9] Then, in the normal course of her day, she attempts to access the share Docs folder. [BUILD 10] Via passthrough authentication, Stephanie is given an access token that allows her access to Docs. This access token contains the SIDs for her user account and the two groups she is included in. SLIDE TRANSITION: So what are the effects to this process during and after migration? ADDITIONAL INFORMATION FOR PRESENTER: Ficha de acceso de Steph en DocServ1: Usuario: LON-ACC\Stephb SID Grupos: LON-ACC\Call Centre SID LONFILESRV01\Call CentreSID LON-RES-01 StephsWS LONFILESRV01 LONFILESRV01\Call Centre Miembros: LON-ACC\Call Centre All \\LONFILESR01\Docs: Centro de llamadas: Control total

28 Escenarios de migración Historial de SID
Grupos: Usuario: S S S S Ficha de acceso Europe\stephb LON-ACC\stephb (Historial de SID ) KEY MESSAGE: What is SID History and why do we need it? SLIDE BUILDS: None SLIDE SCRIPT: So when migrating objects from NT 4 to Active Directory, the first thing to be aware of is how the Security Principals are affected. When taking a user, computer, or group from NT 4 to the Active Directory, these principals are in most cases created anew. Which means they get new SIDs, and therefore any permissions/rights granted to the old SID or any groups that this principal was a member of do not apply to the new SID. To overcome this, the old Security Identifiers (SIDs) for the account objects are retained in an attribute in the Active Directory called “SID history.” This allows the new security principal to include its former SIDs. So now, when a user identifies himself or herself by presenting his or her credentials, the system creates an access token for the user containing not only the SID of the user and the SIDs of all the groups that user is a member of, but also all SIDs in SID history. The good thing about this system is that is does not affect the security descriptor for a resource. This descriptor—which contains the Access Control List (ACL), with a list of Access Control Entries (ACEs), each consisting of an SID together with the indicator that identifies the grant or denied access to the resource—works as if nothing has changed. All the SIDs, old and new, are passed and checked against the Access Control List. For this to work in a restructure, trusts between the resource domain and the Active Directory domain must exist. In an upgrade, security principals remain in the same domain they were created in, and so the SIDs identifying them remain unchanged. As a result, resource access is unaffected by upgrade. SLIDE TRANSITION: The Active Directory Migration tool handles a lot of this. So lets round off the session with a look at how the tool can ensure that access is maintained. ADDITIONAL INFORMATION FOR PRESENTER: Europe\Call Centre All LON-ACC\Call Centre All (Historial de SID) SIDhistory otorga acceso al movimiento de grupos Dar pleno control a LON-ACC\Call Centre All ACL en lonfilesrv01\Docs Dar pleno control a S

29 demo Asistente para traducción de seguridad
Llenar la base de datos de correlación del Grupo Ejecutar la traducción de seguridad KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

30 Resumen de la sesión La migración puede ser para actualizar o reestructurar Tome tiempo para evaluar los pros y contras de cada opción Elija la opción que proporcione la mejor solución a su organización KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:

31 Para mayores informes:
Sitio Web principal de TechNet Web en Los recursos adicionales para dar soporte a esta página de Sesión se pueden encontrar en KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION:

32 MS Press Información interna para profesionales de informática
Key Message: Talk about MS Press books and introduce the Build your own book feature SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER: Para encontrar los tú‘ulos más recientes relacionados con los Profesionales de informática, visite

33 Publicaciones de terceros Publicaciones complementarias para los Profesionales de informática
Key Message: Talk about the 3rd Party books to show we do provide a balanced view in areas where our publications are diluted or we do not cover. SLIDE BUILDS: None SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER: Estos libros se pueden encontrar y adquirir en todas las librerías de prestigio y las tiendas al menudeo en línea

34 Microsoft Learning Recursos de capacitación para los Profesionales de informática
Migrar desde Microsoft Windows NT 4.0 Microsoft Windows Server 2003 Número del curso: 2283 Disponibilidad: ¡Ahora! Programa de estudios detallado: Microsoft Learning (formerly MS Training & Certification and MS Press, the book division) develops the courseware called Microsoft Official Curriculum (MOC), including MSDN Training courses, eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for both IT professionals and developers who build, support, and implement solutions using Microsoft products and technologies. Please be sure to tell the audience that these training courses are related to the subject that was just covered in the slides, but they do not necessarily provide in-depth coverage of this exact subject as it may include other topics. Anyone interested in more information about the course(s) listed should visit the Microsoft Training & Certification Web site at and review the syllabus. All MOC courses are delivered by Microsoft’s premier training channel, Microsoft Certified Technical Education Centers (CTEC) and classes are taught by Microsoft Certified Trainers (MCT). Para localizar un proveedor de capacitación, acceda a Microsoft Certified Technical Education Centers son los socios de negocios recomendados por Microsoft para servicios de capacitación

35 Evaluar su Preparación Evaluación de habilidades de Microsoft
¿Qué es la evaluación de habilidades de Microsoft? Una herramienta de aprendizaje de auto estudio para evaluar la preparación respecto a las soluciones de productos y tecnología, en lugar de roles de trabajo (certificación) Windows Server 2003, Exchange Server 2003, Windows Storage Server 2003, Visual Studio .NET, Office 2003 Sin costo, en lú‹ea, sin supervisión y disponibles para cualquiera Responde a: “¿Estoy listo? Determina las brechas de habilidades, proporciona los planes de aprendizaje con los cursos de Microsoft Official Curriculum, además de las sugerencias de contenido de aprendizaje de Microsoft, tales como recursos TechNet Coloque su Calificación más alta para ver cómo se compara con los demás visite OPENING TRANSITION: And now, for an exciting, new product also from Microsoft Learning… KEY MESSAGE: Microsoft Skills Assessment SLIDE SCRIPT: Microsoft Skills Assessment is a free online learning tool. It’s an easy way for IT professionals, developers, and trainers to check your skills. You can quickly check your skills for implementing or managing Microsoft product or business solutions. Just take a short, 30 question assessment and see how well you know your stuff. Benefits include a Personalized Learning Plan, which includes links to Microsoft Official Curriculum, specific TechNet articles, Press books, and other Microsoft learning content. There’s also a way to measure how well you did compared with others who took the same assessment. Microsoft Skills Assessment is an expanding learning platform. Available now are assessments for Windows Server 2003 including security and patch management, Exchange Server 2003, Windows Storage Server, Office 2003, and Visual Studio .NET. SLIDE TRANSISTION: TechNet can also help prepare for Exams as well as a lot more, so what it is? ADDITIONAL INFORMATION FOR PRESENTER:

36 Conviértase en un Microsoft Certified Systems Administrator (MCSA)
¿Qué es la certificación MCSA? Para los Profesionales de informática que manejan y mantienen redes y sistemas basados en el sistema operativo Windows Server ¿Cómo me convierto en un MCSA en Microsoft Windows 2000? Apruebe 3 exámenes básicos Apruebe 1 examen opcional o dos certificaciones CompTIA ¿Dónde obtengo mayores informes? Para mayores informes acerca de los requisitos, exámenes y capacitación para la certificación, visite KEY MESSAGE: Explain the MCSA program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on Microsoft Windows® Server Implementation responsibilities include installing and configuring parts of the systems. Management responsibilities include administering and supporting the systems. For more information about the MCSA certification, please visit: TYPICAL JOB TITLES FOR MCSA Network Administrator, Systems Administrator, Information Technology Engineer, Information Systems Administrator, Network Technician UPGRADE PATH FROM MCSA ON WINDOWS 2000 One exam required: Exam : Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way.

37 Conviértase en un Microsoft Certified Systems Engineer (MCSE)
¿Qué es la certificación MCSE? Certificación Premier para los Profesionales de informática que analizan los requisitos de negocios y diseñan e implementan la infraestructura para las soluciones de negocios con base en el software del servidor integrado Microsoft Windows Server System. ¿Cómo me convierto en un MCSE en Microsoft Windows 2003? Apruebe 6 exámenes básicos Apruebe 1 examen opcional de una lista completa ¿Dónde obtengo mayores informes? Para mayores informes acerca de los requerimientos, ex疥enes y opciones de capacitación para la certificación, visite KEY MESSAGE: Explain the MCSE program SLIDE BUILDS: None SLIDE SCRIPT: The Microsoft® Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software. Implementation responsibilities include installing, configuring, and troubleshooting network systems. For more information about the MCSE certification, please visit: MCSE candidates should have at least one year of experience planning, implementing, and analyzing business solutions with Microsoft products and technologies UPGRADE FROM MCSE ON WINDOWS 2000 Two exams required These 2 exams satisfy the core networking exams. Exam : Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000 Exam : Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 SLIDE TRANSISTION: That’s it. Signoff in you own way. ADDITIONAL INFORMATION FOR PRESENTER:

38 ¿Qué es TechNet? Poner las respuestas correctas a su alcance
TechNet es la colección completa de recursos que ayuda a los implementadores de informática a planear, implementar y administrar de manera exitosa los productos de Microsoft Suscripción a TechNet Actualizaciones mensuales proporcionadas en DVD o CD El recurso definitivo para ayudarle a evaluar, implementar y mantener los productos de Microsoft While the monthly subscription software is the most obvious component of TechNet, there’s also much more. The TechNet web site gives subscribers access to valuable information as well as threaded discussion pages and online seminars. Many subscribers use the web as frequently as they use the software. In the subscribers only section, subscribers can access the Online Concierge Chat Support service-a Microsoft support special can help them locate technical information quickly and easily. TechNet Plus subscribers also get access to our Managed Newsgroup Support Service. You can post questions in over 90 IT related public newsgroups and Microsoft will ensure that you get a response within 72 hours TechNet Flash is a bi-weekly newsletter subscribers can register for-it gives them up to date information on the latest postings to the web site TechNet Events-TechNet subscribers have access to free events that explain how to use Microsoft products and technologies at a technical level TechNet Communities ????? Sitio Web de TechNet Se accede en Recursos y comunidad en línea Servicios en línea sólo para suscriptores TechNet Flash Boletín de noticias electrónico quincenal Actualizaciones de seguridad, nuevos recursos y ofertas especiales Eventos TechNet y Web Casts Resúmenes informativos sobre los productos y tecnologías más recientes de Microsoft Información práctica Comunidades TechNet Grupos de usuarios Grupos de noticias administrados

39 ¿Dónde puedo obtener TechNet?
Visite TechNet en línea en Regístrese para TechNet Flash en Únase al foro TechNet Online en Conviértase en un suscriptor TechNet en Asista a más Eventos TechNet o véalos en línea en KEY MESSAGE: Purpose of this slide is to educate IT Pros on where to go and how to be a part of TechNet. SLIDE BUILDS: None SLIDE SCRIPT: There is one place you should go to start: WW.MICROSOFT.COM/TECHNET There is one communication you should subscribe to: TechNet Flash. Twice monthly for the IT Pro community - focuses on news, information, resources and events. Post questions on the discussion forum. Subscribe online Look for TechNet branded events - feature SLIDE TRANSITION: Last slide in the deck. Round off however you like. ADDITIONAL INFORMATION FOR PRESENTER:



Presentaciones similares

Anuncios Google