Exam Reviews

Managing Migration

Proving that you’re ready to perform a migration to Windows 2000 requires a deep understanding of Windows 2000, Active Directory, NT 4.0, and the tools in the Win2K Resource Kit.

• By Alan R. Carter
• 12/01/2000

Passing the Migrating to Win2K exam demonstrates that you have knowledge of Windows NT 4.0, Windows 2000, Active Directory design, and the ability to plan and manage a migration from an NT 4.0 network to a Win2K network. Migration is the premier Win2K skill set. Both large and small organizations will need to move their entire networks from NT 4.0 in the next couple of years, and experts who can plan and manage a migration are few and far between. If you want to show you have what it takes, this exam is for you. However, make no mistake, this test is in-depth, broad-based, and darned difficult. If you pass it, you’ll have distinguished yourself from the rest of the pack.

The exam uses a unique format; half of it is case-study based, and the other half consists of multiple-choice questions that aren’t based on a case study. This exam is loaded with the new “build tree and reorder” style of questions. Download the case study-based test demo from www.microsoft.com/trainingandservices (choose Testing Innovations from the left menu) and practice answering the sample questions.

In this type of question, you’re given a scenario at the top of the dialog box. Then you must select the items or actions from the right window that apply to the scenario and move them to the left window. Then, in the left window, you must put the items or actions in the order indicated by the scenario. These questions are exceptionally difficult because they not only test to see if you know exactly what must be done, but also the order in which actions should take place. Make sure you know the order of actions in a migration or you’ll be unable to answer these questions correctly.

Developing the Migration Strategy

There are three types of migrations: domain upgrade, domain upgrade and restructure, and domain restructure. Each migration type applies to a different type of domain environment. You must take a variety of factors into account when choosing the migration strategy, including the current hardware, security, network infrastructure, application compatibility, current domain design, business needs, technical needs, and existing network services. You should know how each of the above-named issues affects your choice of a migration type and how to choose the appropriate type of migration based on those issues.

Tip: Be sure you know how to perform each type of migration, the order in which domains should be upgraded/migrated, and when to use each type of migration strategy.

Become thoroughly familiar with all of the security issues surrounding a domain upgrade or restructure. Be sure you know how to maintain seamless user access to resources during and after the migration.

Tip: Be sure you understand how SID histories work, when to use them, when to remove them, and which migration tools maintain SID history and which ones don’t. Remember, if you choose to use SID histories, users with more than a total of 1,023 SIDs may not be able to log on or access resources on the network.

Preparing the Environment

The objectives under this heading involve preparing the new environment that will be the target of the upgrade, as well as preparing the source environment for the upgrade process. The first task in preparing the new environment involves either upgrading your DNS services to ones that support Active Directory or installing and configuring the Win2K DNS service and configuring it for dynamic updates.

Tip: Ensure that you know which versions of the UNIX Bind service are capable of supporting Active Directory—and the reasons for continuing to use it instead of the Win2K DNS service.

The second part of preparing the new environment involves either upgrading one of your source NT 4.0 domains to Win2K or installing Win2K in a new, clean, “pristine” environment.

You also need to back up your old environment in such a way that you can quickly recover your old environment in case the migration runs into issues that can’t be resolved quickly enough to keep users up and running without a long network outage. This includes backing up the databases for various network services, including WINS, DNS, DHCP, and so on. It also involves backing up your existing user accounts and domain information in such a way that you can quickly recover your existing domain environment.

Tip: Consider installing NT 4.0 on an additional domain controller, synchronizing the new controller with the existing PDC, and then taking the new domain controller offline during the migration/upgrade process to ensure that you can quickly restore your existing environment by bringing the controller back online, promoting it to PDC, and then synchronizing with the existing BDCs to restore your network to its pre-migration state. Be sure to take the existing PDC offline during the process to ensure that it doesn’t corrupt this process. Then bring it online, demote it to a BDC, and synchronize it with the new PDC.

Planning and Deploying a Domain Upgrade

When you upgrade an NT 4.0 domain to Win2K, you have to deal with a lot of ongoing issues. First, you must choose which computers will be upgraded—and when. For example, you can upgrade member servers and workstations at any time, but the BDCs can’t be upgraded until the PDC has been upgraded. If you’re running the NT 4.0 DNS service on a member server, that server must be upgraded to Win2K before you upgrade any domain controllers to provide the DNS services required by Active Directory.

If you’re using logon scripts and NT 4.0 system policies, you may run into replication issues once the PDC has been upgraded, because Win2K doesn’t support the NT 4.0 LAN Manager replication service.

Tip: Before you upgrade any domain controllers, determine which BDC will be the last one to be upgraded and configure it as the source server for replication of logon scripts and system polices; configure all of the other BDCs to use it as the source. Once the PDC is upgraded to Win2K, implement lbridge.cmd to ensure that the NT 4.0 BDCs are kept up to date with the most current logon scripts and system policy files stored on the Win2K domain controllers.

Also, only NT 4.0 computers use NT system policy—Win2K computers don’t. Therefore you must migrate your system policy settings to Group Policy so the same settings will be applied on all computers in the domain.

Authentication can be a problem in a mixed NT 4.0/Win2K environment. RAS and RRAS servers use an authentication method unsupported by default in Win2K. To ensure that remote users are authenticated in a mixed environment, select the “Permissions compatible with pre-Windows 2000 Servers” option.

Tip: If you don’t know whether the appropriate option was selected, make sure that the Everyone group is a member of the Pre-Windows 2000 Compatible Access domain local group. This ensures that authentication of remote users on NT 4.0 RAS and RRAS servers works correctly.

Domain Restructure

Herein lies the heart of the exam. There are two types of migrations: those that consolidate multiple Win2K domains in a single forest (called an intra-forest restructure) and those that consolidate NT 4.0 and Win2K domains into one or more Win2K domains in a different forest (called an inter-forest restructure). Microsoft provides many tools for performing restructuring tasks, including the Active Directory Migration Tool (ADMT), ClonePrincipal, Movetree, and Netdom. ADMT is a wizard-based graphical tool that can be used for both types of migrations. ClonePrincipal is really a series of Visual Basic scripts that perform various inter-forest migration tasks. Movetree is a command-line tool used to perform various intra-forest migration tasks. Finally, Netdom is a command-line tool used to view and manage trust relationships in both NT 4.0 and Win2K environments.

Tip: Practice using each of these tools in a test lab environment until you’re familiar with the capabilities and limitations of each, and know the nuances of each tool. Be sure you know how each tool manages passwords on migrated user accounts.

Before you’re ready to perform a migration, you need to establish the new environment. Be sure you’ve created the destination OUs and delegated control of those OUs to the appropriate administrative users/groups. Also, ensure that you’ve created all of the required trust relationships between the source domains and the target Win2K domain.

Tip: You can use Netdom to create and verify all of your trust relationships prior to migration. You can also use it to document the existing trusts in your environment before beginning the migration process.

In addition to establishing trust relationships, the target domain must be a Win2K domain in native mode, and the source domain controller must have TCP/IP client support enabled.

Tip: To enable TCP/IP client support, the following registry entry must exist on the source domain controller: HKEY_LOCAL_ MACHINE/system/CurrentControlSet/ Lsa/TcpipClientSupport. It must be a REG_DWORD with a value of 0X1. TCP/IP client support should be disabled (set to 0) whenever migration tools aren’t in use.

Troubleshooting

This is a huge objective! With any type of network activity as complex as domain restructuring, there will be problems. Of course, it will be up to you to troubleshoot and resolve them. You might encounter myriad problems; each requires its own, special solution. The key to avoiding problems lies in proper planning; however, even the best-laid plans can miss a minor point or be derailed by hardware or authentication issues. The best preparation for this part of the exam is a deep understanding of all of the technical issues surrounding a migration and thinking through as many of the possible problems in each type of migration.

Also, preparing for problems is almost mandatory when performing a migration. You must back up your existing environment in such a way that it can be quickly restored in the event that the migration fails. Be sure you know not only how to back up domains and various networking services, but also how to restore a partially migrated environment to its pre-migration status.

Making It to the Top

Pass this exam, and you’ll demonstrate that you have what it takes to migrate any type of NT 4.0 network to Win2K. You’ll have shown that you stand out from the crowd of MCSEs who don’t have the experience to take on tough migration jobs. Being successful requires years of experience with NT 4.0 and Win2K and a deep understanding of the migration process. I don’t think we’ll see a lot of new MCSEs passing this exam. If you feel up to the challenge and want to demonstrate your expertise in the migration process, here’s your chance. Good luck!