Planning an Active Directory Deployment Project

Transcription

1 C H A P T E R 1 Planning an Active Directory Deployment Project When yo deploy the Microsoft Windows Server 2003 Active Directory directory service in yor environment, yo can take advantage of the centralized, delegated administrative model and single sign-on capability that Active Directory provides. After yo identify the crrent environment and deployment goals for yor organization, yo can create the Active Directory deployment strategy that meets yor organization s needs. Testing the deployment in an isolated lab environment and refining the deployment in selected pilot areas of yor prodction environment help to ensre a smooth deployment throghot yor organization. In This Chapter Overview of Planning an Active Directory Deployment Project...4 Determining Yor Active Directory Design and Deployment Strategy...8 Testing and Verifying the Deployment Process Additional Resorces Related Information For more information abot planning, testing, and piloting a deployment project, see Designing a Test Environment and Planning and Testing for Application Deployment in Planning, Testing, and Piloting Deployment Projects in this kit. For more information abot deploying Windows Server 2003 Domain Name System (DNS), see Deploying DNS in Deploying Network Services in this kit. For more information abot Grop Policy, see the Distribted Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at

2 4 Chapter 1 Planning an Active Directory Deployment Project Overview of Planning an Active Directory Deployment Project Active Directory in the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems allows organizations to simplify ser and resorce management while creating a scalable, secre, and manageable infrastrctre. Yo can se Active Directory to manage yor network infrastrctre, inclding branch office, Microsoft Exchange Server, and mltiple forest environments. Althogh the gidelines presented in this book are appropriate for almost all network operating system (NOS) management deployments, the gidelines have been tested and validated specifically for environments that contain fewer than 100,000 sers and fewer than 1,000 sites, with network connections of a minimm of 28.8 kilobits per second (Kbps). If yor environment does not meet these criteria, consider sing a conslting firm that has experience deploying Active Directory in more complex environments. Deploying Active Directory provides the following benefits to yor organization: Simplified administration and resorce management. Yo can delegate administration to all levels of an organization, and yo can se Grop Policy to centralize administration. Increased network secrity and single sign-on for sers. Active Directory spports mltiple athentication protocols and X.509 certificates, and provides spport for smart cards. Interoperability with other directory services. Active Directory provides standards-based, open interfaces that interoperate with other directory services and applications, sch as e- mail applications. Featres that redce administration costs, increase secrity, and provide additional fnctionality. Application directory partitions allow yo to configre application-specific data replication settings on domain controllers. When yo raise domain or forest fnctional levels to Windows Server 2003, yo can do the following: Rename domains and domain controllers Establish two-way forest trsts Restrctre forests Improve replication Remove some limitations in environments with a large nmber of sites

3 Overview of Planning an Active Directory Deployment Project 5 Althogh the Windows Server 2003 Active Directory design and deployment strategies that are presented in this book are based on extensive lab and pilot-program testing and sccessfl implementation in cstomer environments, yo might have to cstomize yor Active Directory design and deployment to better sit specific, complex environments. For more information abot deploying Active Directory in a branch office environment, see the Active Directory Branch Office Planning Gide. For more information abot deploying Active Directory in an Exchange environment, see Best Practice Active Directory Design for Exchange For more information abot deploying Active Directory in a mltiple forest environment, see Mltiple Forest Considerations. To download these gides, see the Active Directory link on the Web Resorces page at and then click Planning & Deployment Gides. This book also provides flowcharts, job aids, and deployment examples to help yo optimize yor Active Directory design and deployment process. Process for Planning an Active Directory Deployment Project To plan a Windows Server 2003 Active Directory deployment project, first determine yor design and deployment strategy, and then test and verify yor design and deployment. Figre 1.1 shows the process for planning yor Active Directory deployment project. Figre 1.1 Planning an Active Directory Deployment Project Determine yor Active Directory design and deployment strategy Test and verify the deployment process

4 6 Chapter 1 Planning an Active Directory Deployment Project Active Directory Backgrond Information Before yo design and deploy Windows Server 2003 Active Directory, become familiar with the Active Directory deployment project cycle, as well as Active Directory related terms that are reqired for the Windows Server 2003 Active Directory deployment process. Active Directory Deployment Project Cycle An Active Directory deployment project involves three phases: a design phase, a deployment phase, and an operations phase. Dring the design phase, the design team creates a design for the Active Directory logical strctre that best meets the needs of each division in the organization that will se the directory service. After the design is approved, the deployment team tests the design in a lab environment and then implements the design in the prodction environment. Becase testing is performed by the deployment team and potentially affects the design phase, it is an interim activity that overlaps both design and deployment. When the deployment is complete, the operations team is responsible for maintaining the directory service. Lab testing and the implementation of a pilot program contine throghot the lifetime of the Active Directory deployment. Figre 1.2 shows the relationship between the phases of the Active Directory project cycle relative to the lifetime of the deployment project. Figre 1.2 Relationship Between Active Directory Project Cycle Phases Deployment Project Lifetime New Deployment Project Changes to design Design Lab/Pilot Deploy On going pilot Operations Design Long term ownership Lab/Pilot Deploy Operations Long term ownership

5 Overview of Planning an Active Directory Deployment Project 7 Terms and Definitions The following terms are important to nderstanding the Windows Server 2003 Active Directory deployment process. Active Directory domain An administrative nit in a compter network that, for management convenience, grops several capabilities, inclding: Network-wide ser identity. Domains allow ser identities to be created once and referenced on any compter that is joined to the forest in which the domain is located. Domain controllers that make p a domain are sed to store ser acconts and ser credentials, sch as passwords or certificates, secrely. Athentication. Domain controllers provide athentication services for sers and spply additional athorization data, sch as ser grop memberships. These services can be sed to control access to resorces on the network. Trst relationships. Domains extend athentication services to sers in other domains in their own forest by means of atomatic bidirectional trsts, and to sers in domains in other forests by means of either manally created external trsts or forest trsts. Policy administration. The domain is a scope of administrative policies, sch as password complexity and password rese rles. Replication. The domain defines a partition of the directory tree that provides data that is adeqate to provide the reqired services and that is replicated between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a nit. Active Directory forest A collection of one or more Active Directory domains that share a common logical strctre, directory schema, and network configration, as well as atomatic two-way transitive trst relationships. Each forest is a single instance of the directory and defines a secrity bondary. Active Directory fnctional level A setting in Windows Server 2003 Active Directory that enables advanced domain-wide or forest-wide Active Directory featres.

6 8 Chapter 1 Planning an Active Directory Deployment Project Migration The process of moving an object from a sorce domain to a target domain, while preserving or modifying characteristics of the object to make it accessible in the new domain. Domain restrctre A migration process that involves changing the domain strctre of a forest. A domain restrctre can involve either consolidating or adding domains, and can take place between forests or within a forest. Domain consolidation A restrctring process that involves eliminating Microsoft Windows NT 4.0 domains or Active Directory domains by merging their contents with the contents of other domains. Domain pgrade The process of pgrading the directory service of a domain to a later version of the directory service. This incldes pgrading the operating system on all domain controllers and raising the Active Directory fnctional level where applicable. In-place domain pgrade The process of pgrading the operating system on all domain controllers that are based on Windows NT 4.0 or on the Microsoft Windows 2000 operating system and raising the fnctional level of the domain if applicable, while leaving domain objects, sch as sers and grops, in place. Regional domain A child domain that is created based on a geographic region in order to optimize replication traffic. Determining Yor Active Directory Design and Deployment Strategy After yo perform a high-level assessment of yor crrent environment and determine yor Active Directory deployment goals, yo can determine the deployment strategy that works best for yor environment. Figre 1.3 shows the steps for defining the Active Directory deployment process.

7 Determining Yor Active Directory Design and Deployment Strategy 9 Figre 1.3 Determining Yor Design and Deployment Strategy Determine yor Active Directory design and deployment strategy Test and verify the deployment process Determine yor Active Directory design reqirements Determine yor Active Directory deployment reqirements Determine yor restrctre reqirements The Active Directory deployment strategy that yo apply varies according to yor existing network configration. For example, if yor organization crrently rns Windows 2000, yo can simply pgrade yor operating system to Windows Server If yor organization crrently rns Windows NT 4.0 or a non-windows network operating system, however, yo mst design an Active Directory infrastrctre before yo pgrade to Windows Server Yor deployment process might involve restrctring existing domains, either within an Active Directory forest or between Active Directory forests. Yo might need to restrctre yor existing domains after yo deploy Windows Server 2003 Active Directory or after organizational changes or corporate acqisitions. Yo can also restrctre domains from a Windows NT 4.0 environment to an Active Directory forest in order to pgrade yor prodction environment to Windows Server 2003.

8 10 Chapter 1 Planning an Active Directory Deployment Project Table 1.1 lists the possible starting points and goals for a Windows Server 2003 Active Directory deployment and the corresponding deployment steps and chapters in this book that apply to each. Table 1.1 Crrent Environment, Goals, and Corresponding Chapters for Deploying Windows Server 2003 Active Directory Environment Deployment Goals Corresponding Chapters New organization Windows NT 4.0 Windows 2000 Create forest, domain, DNS, and organizational nit design. Create a site and site link design. Assess hardware reqirements. Deploy the forest root domain. Chapter 2: Designing the Active Directory Logical Strctre Chapter 3: Designing the Site Topology Chapter 4: Planning Domain Controller Capacity Chapter 6: Deploying the Windows Server 2003 Forest Root Domain Deploy regional domains. Chapter 7: Deploying Windows Server 2003 Regional Domains Raise the domain and forest fnctional levels. Create forest, domain, DNS, and organizational nit design. Create a site and site link design. Assess hardware reqirements. Deploy the forest root domain. Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Featres Chapter 2: Designing the Active Directory Logical Strctre Chapter 3: Designing the Site Topology Chapter 4: Planning Domain Controller Capacity Chapter 6: Deploying the Windows Server 2003 Forest Root Domain Deploy regional domains. Chapter 7: Deploying Windows Server 2003 Regional Domains Upgrade in-place Windows NT 4.0 domains that will remain part of yor Active Directory domain strctre. Restrctre other Windows NT 4.0 domains. Raise the domain and forest fnctional levels. Upgrade Windows 2000 domain controllers. Raise the domain and forest fnctional levels. Chapter 8: Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory Chapter 10: Restrctring Windows NT 4.0 Domains to an Active Directory Forest Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Featres Chapter 9: Upgrading Windows 2000 Domains to Windows Server 2003 Domains Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Featres

9 Determining Yor Active Directory Design and Deployment Strategy 11 Table 1.2 lists the goals and corresponding chapters that apply to restrctring domains either within or between forests. Table 1.2 Goals and Corresponding Chapters for Restrctring Active Directory Domains Action Deployment Goals Corresponding Chapters Restrctre domains within a forest Restrctre domains between forests Create forest, domain, DNS, and organizational nit design. Create a site and site link design. Use a tool sch as Active Directory Migration Tool (ADMT) to restrctre domains within a forest. Create forest, domain, DNS, and organizational nit design. Create a site and site link design. Use a tool sch as ADMT to restrctre domains between forests. Chapter 2: Designing the Active Directory Logical Strctre Chapter 3: Designing the Site Topology Chapter 12: Restrctring Active Directory Domains Within a Forest Chapter 2: Designing the Active Directory Logical Strctre Chapter 3: Designing the Site Topology Chapter 11: Restrctring Active Directory Domains Between Forests Determining Yor Active Directory Design Reqirements If yor network environment is crrently operating withot a directory service, or if yo need to modify yor crrent Active Directory infrastrctre, complete the design process for yor Active Directory infrastrctre. Yo mst complete a comprehensive design of yor Active Directory logical strctre before yo deploy Active Directory. Thoroghly preparing yor Active Directory design is essential to a cost-effective deployment. Logical Strctre Design Before yo deploy Windows Server 2003 Active Directory, yo mst plan for and design the Active Directory logical strctre for yor environment. The Active Directory logical strctre determines how yor directory objects are organized, and provides an effective method for managing yor network acconts and shared resorces. When yo design yor Active Directory logical strctre, yo define a significant part of the network infrastrctre of yor organization. To design the Active Directory logical strctre, determine the nmber of forests that yor organization reqires, and then create designs for domains, DNS, and organizational nits.

10 12 Chapter 1 Planning an Active Directory Deployment Project Site Topology Design After yo design the logical strctre for yor Active Directory infrastrctre, yo mst design the site topology for yor network. The site topology is a logical representation of yor physical network. It contains information abot the location of Active Directory sites, the Active Directory domain controllers within each site, and the site links that spport Active Directory replication between sites. Domain Controller Capacity Planning To ensre efficient Active Directory performance, yo mst determine the appropriate nmber of domain controllers for each site and verify that they meet the hardware reqirements for Windows Server Carefl capacity planning for yor domain controllers ensres that yo do not nderestimate hardware reqirements, which can case poor domain controller performance and application response time. Advanced Active Directory Featres Fnctional levels in Windows Server 2003 Active Directory allow yo to enable new featres, sch as improved grop membership replication, deactivation and redefinition of attribtes and classes in the schema, and forest trst relationships that reqire that all domain controllers within the participating domain or forest rn Windows Server Part of the Active Directory design process involves identifying the domain and forest fnctional levels that yor organization reqires. To implement these Windows Server 2003 Active Directory featres in yor organization, yo mst first deploy Windows Server 2003 Active Directory and then raise the forest and domain to the appropriate fnctional level. Determining Yor Active Directory Deployment Reqirements The strctre of yor existing environment determines yor strategy for deploying Windows Server 2003 Active Directory. If yo are creating an Active Directory environment and yo do not have an existing domain strctre, yo mst complete yor Active Directory design before yo begin creating yor Active Directory environment. Then yo can deploy a new forest root domain and deploy the rest of yor domain strctre according to yor design. Windows Server 2003 Forest Root To deploy Active Directory, yo mst first deploy a Windows Server 2003 forest root domain. To do this, yo mst configre DNS, deploy forest root domain controllers, configre the site topology for the forest root domain, and configre operations master roles.

11 Determining Yor Active Directory Design and Deployment Strategy 13 Windows Server 2003 Regional Domains If yo are creating one or more new regional domains in a Windows Server 2003 forest, yo mst deploy each regional domain after yo deploy yor forest root domain. To do this, yo mst delegate a DNS zone and deploy domain controllers for each regional domain. Windows NT 4.0 Domain Upgrade to Windows Server 2003 When yo perform an in-place domain pgrade of Windows NT 4.0 domains, yo can begin to se Active Directory withot making any modifications to yor existing domain strctre. Alternatively, if yo do not want to retain yor existing domain strctre, yo can restrctre yor Windows NT 4.0 domains to a Windows Server 2003 forest. For more information abot restrctring yor Windows NT 4.0 domains to a Windows Server 2003 forest, see "Determining Yor Restrctre Reqirements" later in this chapter. Windows 2000 Domain Upgrade to Windows Server 2003 Upgrading yor Windows 2000 domains to Windows Server 2003 domains is an efficient, straightforward way to take advantage of additional Windows Server 2003 featres and fnctionality. Upgrading from Windows 2000 to Windows Server 2003 reqires minimal network configration and has little impact on ser operations. Determining Yor Restrctre Reqirements As part of yor Active Directory deployment, yo might choose to restrctre yor environment. Before doing so, yo mst determine when and how yo want to restrctre yor environment. Organizations with an existing Windows NT 4.0 domain strctre might perform an in-place pgrade of some domains and restrctre others. In addition, yo might decide to redce the complexity of yor environment by either restrctring domains between forests or restrctring domains within a forest after yo deploy Active Directory. Windows NT 4.0 Domain Restrctre to a Windows Server 2003 Forest Becase of its greater scalability, a Windows Server 2003 Active Directory environment reqires fewer domains than a Windows NT 4.0 environment. Instead of performing an in-place pgrade of yor Windows NT 4.0 domains, it might be more efficient to consolidate a nmber of smaller Windows NT 4.0 accont and resorce domains into a few, larger Active Directory domains.

12 14 Chapter 1 Planning an Active Directory Deployment Project Interforest Active Directory Domain Restrctre When yo restrctre domains between Windows Server 2003 forests, yo can redce the nmber of domains in yor environment and, therefore, redce administrative complexity and overhead. When yo migrate objects between forests as part of the restrctring process, both the sorce and target domain environments exist simltaneosly. This enables yo to roll back to the sorce environment dring the migration, if necessary. Intraforest Active Directory Domain Restrctre When yo restrctre Windows Server 2003 domains within a Windows Server 2003 forest, yo can consolidate yor domain strctre and, therefore, redce administrative complexity and overhead. Unlike the process for restrctring Windows Server 2003 domains between forests, when yo restrctre domains within a forest, the migrated acconts no longer exist in the sorce domain. Table 1.3 lists the differences between an interforest and an intraforest domain restrctre. Table 1.3 Differences Between Interforest and Intraforest Domain Restrctres Migration Consideration Object preservation SID history maintenance Password retention Local profile migration Closed sets Interforest Restrctre Objects are cloned rather than migrated. The original object remains in the sorce location to maintain ser access to resorces. Maintaining SID history is optional. Password retention is optional. Yo mst se tools sch as ADMT to migrate local profiles. Yo do not need to migrate acconts in closed sets. Intraforest Restrctre Objects are migrated and no longer exist in the sorce location. SID history is reqired. Passwords are always retained. For workstations that rn Windows 2000 and later, local profiles are migrated atomatically becase the ser s GUID is preserved. However, yo mst se tools sch as ADMT to migrate local profiles for workstations that rn Windows NT 4.0 and earlier. Yo mst migrate acconts in closed sets.

13 Determining Yor Active Directory Design and Deployment Strategy 15 Example: Establishing an Active Directory Deployment Strategy To illstrate the Active Directory deployment process, the chapters in this book show an example of how a fictitios company, Contoso Pharmaceticals, deploys Active Directory in its environment. The Contoso environment consists of for domains, all of which are rnning Windows 2000 Active Directory. Figre 1.4 shows the crrent domain strctre for the Contoso corporation. Figre 1.4 Contoso Corporation Domain Strctre concorp.contoso.com noam.concorp.contoso.com emea.concorp.contoso.com africa.concorp.contoso.com After reviewing its existing environment and identifying its deployment goals, Contoso established the following Active Directory deployment strategy: Upgrade Windows 2000 domains to Windows Server 2003 domains. Enable advanced Active Directory featres by raising the domain and forest fnctional levels to Windows Server After pgrading all Windows 2000 domains to Windows Server 2003 domains, Contoso will restrctre the africa.concorp.contoso.com domain within the forest to consolidate it with the emea.concorp.contoso.com domain.

14 16 Chapter 1 Planning an Active Directory Deployment Project The Contoso corporation is acqiring a company called Trey Research, which is crrently rnning a Windows NT 4.0 based environment, as shown in Figre 1.5. Figre 1.5 Crrent Environment for Trey Research BOSTON EAST MAIL-APPS PROD-APPS OFFICE-APPS Contoso established the following Active Directory deployment strategy for their Trey Research acqisition: Design the Active Directory logical strctre to create forest, domain, DNS, and organizational nit designs for the new Windows Server 2003 environment. Design the site topology to create the reqired sites, site links, and site link bridges. Plan domain controller capacity to determine the hardware reqirements for the new Windows Server 2003 environment. Deploy trccorp.treyresearch.net as the forest root domain. Deploy three regional domains. Different teams can create these domains simltaneosly. Upgrade the EAST domain to Windows Server 2003 to become east.trccorp.treyresearch.net. Create two new Windows Server 2003 regional domains called asia.trccorp.treyresearch.net and west.trccorp.treyresearch.net. Restrctre the BOSTON, MAIL-APPS, PROD-APPS, and OFFICE-APPS domains to the east.trccorp.treyresearch.net Windows Server 2003 domain by sing ADMT. Raise the domain and forest fnctional levels to Windows Server Figre 1.6 shows the interim environment for Trey Research.

15 Determining Yor Active Directory Design and Deployment Strategy 17 Figre 1.6 Interim Environment for Trey Research trccorp.treyresearch.net west.trccorp.treyresearch.net asia.trccorp.treyresearch.net east.trccorp.treyresearch.net At a later time, Contoso determined that a single domain wold be more cost-effective for the Erope, Middle East, and Asia region, so the final step in the deployment process is to restrctre asia.trccorp.treyresearch.net into the emea.concorp.contoso.com domain in the Contoso forest by sing ADMT. Figre 1.7 shows the domain strctre for the Contoso corporation after the acqisition of Trey Research and the Windows Server 2003 Active Directory deployment process is complete. Figre 1.7 Final Environment for Contoso and Trey Research concorp.contoso.com trccorp.treyresearch.net noam.concorp.contoso.com emea.concorp.contoso.com west.trccorp.treyresearch.com east.trccorp.treyresearch.com

16 18 Chapter 1 Planning an Active Directory Deployment Project Testing and Verifying the Deployment Process In any Active Directory deployment, yo can minimize the impact on normal bsiness operations by testing design assmptions and verifying the deployment process in a pilot program. As yo create the first draft of yor Active Directory design, begin to test and verify. Testing and verifying begin dring the design phase and contines throgh the deployment and operations phase. Figre 1.8 shows the process for testing and verifying yor Active Directory design and deployment. Figre 1.8 Testing and Verifying the Active Directory Design and Deployment Determine yor Active Directory design and deployment strategy Test and verify the deployment process Test the design and deployment in a lab environment Verify the deployment in a pilot program Complete the pilot deployment program Testing the Design and Deployment in a Lab Environment Lab testing is the first evalation of the Active Directory design. Dring lab testing, yo confirm the assmptions made by the design architects. As the first draft of the Active Directory design approaches completion, begin testing specific design assmptions in the deployment process in a lab environment. By testing the deployment process in yor lab, yo can discover potential design problems that affect the deployment process and provide feedback to the design team to correct problems before the deployment.

17 Testing and Verifying the Deployment Process 19 Ensre that the test lab environment is isolated from the rest of yor organization's prodction network and represents, on a small scale, the hardware and operating system configration of the compters in yor organization. Inclde enogh domain controllers in the lab environment to spport a representative sample of yor site design, inclding intrasite and intersite replication partners, site links, and realistic replication intervals. Inclde ser and grop acconts and other resorces that are exclsively designated for testing. Ensre that yor test environment provides access to test configrations of external services, sch as mainframe or Internet access, as reqired. Retain the lab permanently to test new procedres and train the deployment team. The deployment team can se the lab environment to learn the specifics of yor deployment process and to gain familiarity with the deployment and migration tools that are sed dring the Active Directory deployment. Typically, the design assmption tests and the deployment process tests are performed by different teams. Table 1.4 lists the lab tests and the team members who perform the tests in the lab. Table 1.4 Lab Tests and Corresponding Team Members Test Process Lab Tests Team Members Test design assmptions Test deployment process Analyze Active Directory replication and site topology. Test application and desktop compatibility. Test disaster recovery. Test accont and resorce migration. Evalate delegation, administration, and management. Design team, site topology owner, and deployment team. Design team. Forest owner and deployment team. Forest owner and deployment team. Forest owner. Testing Design Assmptions Dring the design process, the design team makes assmptions that are incorporated into the Active Directory design, sch as Active Directory replication and application compatibility. After the team completes a preliminary draft of the design, it mst prove these assmptions in the lab environment. To test the design assmptions in the lab environment, the design team mst: Analyze Active Directory replication site topology. Develop a test plan, and then test application and desktop compatibility.

18 20 Chapter 1 Planning an Active Directory Deployment Project Analyze Active Directory Replication and Site Topology The site topology design specifies the maximm replication latency. This is the length of time that is reqired to replicate changes throghot the forest. The design team mst make sre that forest-wide replication latency is less than or eqal to the maximm replication latency specified in the design. The team mst perform a worst-case test that is based on the maximm nmber of hops that are assmed in the design. The team mst observe the time that is reqired for replication convergence when a domain controller or commnications link fails. To analyze Active Directory intersite replication site failover 1. Identify the domain controllers that are responsible for intersite replication by sing Active Directory Sites and Services. 2. Disconnect domain controllers or disable commnications links that are sed in intersite replication. 3. Allow the Knowledge Consistency Checker (KCC) to atomatically configre new replication topology. 4. Identify the domain controllers that are now responsible for intersite replication. 5. Reconnect the domain controllers or enable commnications links. 6. Verify that the intersite replication topology retrns to the original state, as identified in step 1. Verify Application and Desktop Compatibility The design team mst also determine the compatibility between applications, desktop operating systems, and Active Directory. Typically, the aspects of application testing that are affected by an Active Directory migration or pgrade inclde applications that rn on servers and client compters, in addition to remote access sage. Verify the application and desktop compatibility design assmptions by creating a list of all critical applications. Have design team members test each application to make sre that it operates correctly in a migrated environment. When yo verify application and desktop compatibility, verify that: Existing server applications, sch as those that crrently rn on a Windows NT 4.0 backp domain controller (BDC), can rn on Windows Server 2003 based member servers and domain controllers. For example, some server applications that rn on BDCs take advantage of Shared Local Grops. To rn these server applications on a Windows Server 2003 based domain controller, verify that the applications rn correctly by sing Active Directory domain local grops. Server applications that rn on a mixtre of Windows Server 2003 based and Windows NT 4.0 based servers can interoperate with one another. For example, verify that a Windows Server 2003 based server rnning Microsoft SQL Server can interact with a Windows NT 4.0 based server rnning the same application.

19 Testing and Verifying the Deployment Process 21 Existing desktop applications rn correctly when the domain infrastrctre is migrated to Windows Server 2003 Active Directory. Existing applications that se integrated Windows secrity rn correctly when the domain infrastrctre is migrated to Windows Server 2003 Active Directory. If yo find that a server application cannot be migrated to a Windows Server 2003 based domain controller, yo can try to reinstall the application or a later version of the application on a Windows Server 2003 based member server. If the application cannot rn on a server that rns Windows Server 2003, yo can contine to rn the application on the server that rns Windows NT 4.0 or Windows Provide feedback to the design team that the server application's domain cannot be pgraded inplace or consolidated and mst remain ntil a version of the application that can rn on a Windows Server 2003 based domain controller is available. As a long-term deployment goal, transition any applications that crrently rn on domain controllers to member servers. Testing Deployment Processes In a lab environment before the pilot program begins, the deployment team mst test specific tasks that are essential to the Active Directory deployment process, sch as testing accont and resorce migration from Windows NT 4.0 to Windows Server 2003 Active Directory. To verify the deployment process in the lab environment: Test disaster recovery. Test accont and resorce migration. Evalate delegation, administration, and management. Test Disaster Recovery Test disaster recovery in yor lab environment to validate that sers can log on within an acceptable response time ntil a failed domain controller is restored and to determine the time that is reqired to restore the failed domain controller. To implement a disaster recovery process in yor Active Directory deployment, back p the System State data on at least two domain controllers in the lab environment. After yo back p the data, yo need to test the validity of the backp tape and the restore process. Test the following scenarios: Perform a non-athoritative restore of the domain controller whose directory services database contains corrpted data. Perform an athoritative restore of a domain controller to restore Active Directory data that has been deleted.

20 22 Chapter 1 Planning an Active Directory Deployment Project Make sre that the tests represent the slowest connection speeds in yor environment and the largest nmber of ser acconts. For example, when yo determine the time that is reqired to restore a failed domain controller, make sre to test the restore of System State data from yor backp for any domain controller that is the only one in a site that is connected with a data rate of 128 Kbps or less. In addition, test the restore of System State data from yor backp for any domain controller in a domain that contains more than 20,000 ser acconts. When a domain controller is connected to other domain controllers with a data rate that is eqal to or greater than 128 Kbps, test yor process for installing Active Directory on a new domain controller and letting Active Directory replication repoplate the Active Directory database. For more information abot testing disaster recovery, see the Active Directory Disaster Recovery (.doc) link on the Web Resorces page at Test Accont and Resorce Migration To test the deployment process for accont and resorce migration, se the procedres in the chapter for the restrctre process that yo are planning. Organizations that are planning to restrctre Windows NT 4.0 domains can also perform the following tests of their restrctre process: To test the deployment process for accont and resorce migration 1. In two or more prodction Windows NT 4.0 accont domains, create new backp domain controllers (BDCs). 2. Remove the new BDCs from the prodction network. 3. Install the new BDCs in the lab environment. 4. Promote the new BDCs to primary domain controllers (PDCs). 5. Perform in-place pgrades and restrctre the accont domains in yor lab. 6. Perform accont and resorce migrations by sing a migration tool sch as ADMT. 7. Verify that migrated acconts have access to resorces and retain ser profiles.

21 Testing and Verifying the Deployment Process 23 Evalate Delegation, Administration, and Management Evalate the delegation, administration, and management processes by creating the organizational nit strctre that is specified by yor Active Directory design. Delegate control of organizational nits to specific grop acconts that are sed for administration. Use these steps to verify the sccess of the delegation: To verify sccessfl delegation of control of OUs to specific grops 1. Log on as a ser who belongs to the grop accont to which yo delegated control. 2. Perform administration tasks on objects within the organizational nit (for example, modify the properties of a ser in an accont organizational nit). 3. Try, and sbseqently fail, to perform administrative tasks on organizational nits to which the administration grop does not have delegated control. Verifying the Deployment in a Pilot Program In the lab environment, yo verify that the deployment process works otside of yor prodction environment on acconts and resorces that approximate yor prodction environment. If yor environment rns Windows 2000 Active Directory, se yor existing pilot program to verify yor Windows Server 2003 deployment. In the pilot deployment program, identify a controlled sbset of the acconts (sers, grops, and services) and resorces that exist in the prodction environment. Perform the deployment process on the identified acconts and resorces. The goals of the pilot program inclde: Extend testing into a sbset of the prodction environment. Provide a test environment for other design and deployment grops, sch as Exchange 2000 deployment. Verify process and procedres for network and operating system infrastrctre pdates. Verify proper operation of application pdates. Evalate the impact of monitoring soltions on the network infrastrctre and the servers that are being monitored. Discover any potential problems in the deployment process that are cased by complexities that cold not be modeled in the lab environment. Revise the deployment process to correct any problems that yo discovered before the prodction deployment. In yor pilot deployment, begin with sers who are involved in the deployment project, and then inclde sers who are representative of yor ser poplation.

22 24 Chapter 1 Planning an Active Directory Deployment Project To create a pilot deployment program in yor environment 1. Create forest_root_domain (where forest_root_domain is the name of an empty Active Directory forest root domain that was created by appending -test to the same name as the prodction forest root domain). 2. Create regional_domain (where regional_domain is the regional domain name in the pilot program) by appending -test to a prodction regional domain. 3. Establish the appropriate trst relationships between regional_domain and winnt_domain (where winnt_domain is a Windows NT 4.0 accont or resorce domain). 4. Migrate selected acconts and resorces from winnt_domain to regional_domain. 5. Verify that sers and administrators can minimally perform the same tasks that they performed before the migration (sch as resorce access, accont administration, and resorce administration). Important When yo migrate prodction sers to the pilot, leave the ser acconts enabled in the prodction and the pilot environments. By leaving the ser acconts enabled in the prodction environment, yo provide a fallback plan if any problems occr in the pilot environment. Example: Creating a Pilot Deployment Program for Trey Research Contoso corporation and Trey Research created a pilot deployment program for the Active Directory deployment. Table 1.5 lists the names that they provided for their pilot deployment. Table 1.5 Example of a Pilot Deployment Program Domain Name forest_root_domain regional_domain winnt_domain trccorp-test.treyresearch.net east-test.trccorp-test.treyresearch.net BOSTON for accont domain OFFICE-APPS for resorce domain Figre 1.9 illstrates the pilot deployment configration.

23 Testing and Verifying the Deployment Process 25 Figre 1.9 Pilot Deployment Configration trccorp-test.treyresearch.net east-test.trccorp-test.treyresearch.net OFFICE-APPS (Accont Domain) BOSTON (Resorce Domain) Completing the Pilot Deployment Program After yo finish the pilot deployment program, retain the pilot deployment environment and se it as a staging environment for yor prodction deployment. Contine to se the pilot forest to verify new deployment processes, sch as adding new applications or schema extensions, installing operating systems, creating Grop Policy objects, or restrctring organizational nits. As noted earlier, provide a fallback plan by leaving ser acconts enabled in both the original prodction environment and the pilot deployment environment. Keep sers in the pilot deployment environment to do their prodction work; do not migrate the acconts from the pilot deployment environment to the prodction forest. Instead, if yo decide to move pilot sers to another prodction forest, migrate them from their original prodction environment. This ensres that all sers in the prodction forest have consistent acconts and makes trobleshooting easier.

24 26 Chapter 1 Planning an Active Directory Deployment Project Example: Completing the Pilot Deployment Program for Trey Research Figre 1.10 shows a comparison between the design of the Active Directory pilot forest and the prodction forest deployment. Figre 1.10 Comparison of the Pilot Forest and the Prodction Forest Pilot Forest Trey Research Prodction Forest trccorp-test.treyresearch.net trccorp.treyresearch.net east-test.trccorp-test.treyresearch.net west.trccorp.treyresearch.net east.trccorp.treyresearch.net Additional Resorces These resorces contain additional information and tools related to this chapter. Related Information Designing the Active Directory Logical Strctre in this book. Designing the Site Topology in this book. Planning Domain Controller Capacity in this book. Enabling Advanced Windows Server 2003 Active Directory Featres in this book. Deploying the Windows Server 2003 Forest Root Domain in this book.

25 Deploying the Windows Server 2003 Regional Domains in this book. Additional Resorces 27 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book. Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book. Restrctring Windows NT 4.0 Domains to an Active Directory Forest in this book. Restrctring Active Directory Domains Between Forests in this book. Restrctring Active Directory Domains Within a Forest in this book. Deploying DNS in Deploying Network Services in this kit. The Active Directory link on the Web Resorces page at Click Planning & Deployment Gides to find additional links where yo can download the following gides: Active Directory Branch Office Planning Gide Active Directory Operations Gide Best Practice Active Directory Design for Exchange 2000 Mltiple Forest Considerations Best Practice Gide for Secring Active Directory Installations and Day-to-Day Operations: Part I Related Help Topics For best reslts in identifying Help topics by title, in Help and Spport Center, nder the Search box, click Set search options. Under Help Topics, select the Search in title only check box. Active Directory in Help and Spport Center for Windows Server Windows Spport Tools nder Tools in Help and Spport Center for Windows Server 2003.

26