Here it is.
Microsoft has also released an improved ADMT migration guide, titled Migrating and Restructuring Active Directory Domains Using ADMT v3.1. Get it here
Monday, July 21, 2008
ADMT 3.1 Released + Improved Migration Guide
The FREELY available AD Migration tool from Microsoft, ADMT (Active Directory Migration Tool) v3.1 has now officially been released. It includes support for migrating from Windows 2008 DCs, 32-bit and 64-bit PES (Password Export Service), as well as several bug fixes (and other improvements) over v3.0.
Here it is.
Microsoft has also released an improved ADMT migration guide, titled Migrating and Restructuring Active Directory Domains Using ADMT v3.1. Get it here
Here it is.
Microsoft has also released an improved ADMT migration guide, titled Migrating and Restructuring Active Directory Domains Using ADMT v3.1. Get it here
Tuesday, July 15, 2008
2008 Printer Migration and Consolidation
Step-by-step, using the Print Migrator replacement - Printer Migration Wizard / Printbrn.
Here.
Other helpful links:
KB938923 - How to back up and then restore printers when you upgrade from Windows Server 2003 to Windows Server 2008
Windows 2008 Print Services (TechNet link)
Here.
Other helpful links:
KB938923 - How to back up and then restore printers when you upgrade from Windows Server 2003 to Windows Server 2008
Windows 2008 Print Services (TechNet link)
Friday, July 11, 2008
Migrating login scripts...necessary?
I often see companies looking to carry over login scripts for users after being migrated, or look for an alternative to login scripts (in a large enterprise environment, managing hundreds of login scripts can become a nightmare, especially in a non decentralized administrative model). Often times GPOs can replace many login script functions, and now Microsoft has recently released their Group Policy Preferences tool. This tool essentially lets you manage O/S and application settings that were previously unmanageable via GPOs. Some examples include managing group membership, mapped drives (some very flexible settings around mapped drives), Start menu settings, printers, folder options/view, and countless others.
By combining GPOs and GPPs, in many cases we're now able to completely eliminate the need for a login script.
Q. What is the main difference between policy settings and preference settings?
A. The main difference between policy settings and preference settings is that preference settings are not enforced. This means the end user can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them.
A few things to note:
* To manage GPPs you need a Win2008 Server or Vista-SP1 machine on your network
* To utilize GPPs you need your clients to at least be at XP-SP2, Vista, 2003-SP1, or 2008, in addition to having the GPP Client-Side Extensions update installed (available via Windows Update)
For more information:
Group Policy Preferences Overview
Group Policy Preferences FAQ
By combining GPOs and GPPs, in many cases we're now able to completely eliminate the need for a login script.
Q. What is the main difference between policy settings and preference settings?
A. The main difference between policy settings and preference settings is that preference settings are not enforced. This means the end user can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them.
A few things to note:
* To manage GPPs you need a Win2008 Server or Vista-SP1 machine on your network
* To utilize GPPs you need your clients to at least be at XP-SP2, Vista, 2003-SP1, or 2008, in addition to having the GPP Client-Side Extensions update installed (available via Windows Update)
For more information:
Group Policy Preferences Overview
Group Policy Preferences FAQ
Wednesday, July 9, 2008
Windows Server 2008 Step-by-Step Guides
Always looking for downloadable versions of 2008 pages from the 2008 TechNet on-line library? Here's a collection of over 25 Step-by-Step guides for Server 2008.
Migration suites/tools- the players
Microsoft - ADMT 3.0, ADMT 3.1(BETA) - Users, Groups, Profiles, Workstations, Servers. ADMT 3.1 now support Server 2008.
Microsoft - FSMT (File Servers, only currently supported up to Server 2003), Print Migrator (Print Queue/Server Migrations, currently supported up to Server 2003)
Quest Software - DMW and Quest Migration Manager for AD
NetIQ - Domain Migration Administrator
WinZero - Server and Domain Migrator 2007
PointDev - PointDev's IdealMigration is a great product to demo. It includes MMC snap-in functionality, and the free reporting features included in the Demo alone make it worth checking out. Ideal for NT/2000/2003 environments.
Microsoft - FSMT (File Servers, only currently supported up to Server 2003), Print Migrator (Print Queue/Server Migrations, currently supported up to Server 2003)
Quest Software - DMW and Quest Migration Manager for AD
NetIQ - Domain Migration Administrator
WinZero - Server and Domain Migrator 2007
PointDev - PointDev's IdealMigration is a great product to demo. It includes MMC snap-in functionality, and the free reporting features included in the Demo alone make it worth checking out. Ideal for NT/2000/2003 environments.
Free WebCast: Plan Your Windows Server 2008 Migration in Less Time with Fewer Resources
Essential viewing prior to any 2008 migration activities. Level 200.
Go here
Presented by: Baldwin Ng, Senior Product Manager, Microsoft Corporation
Go here
Presented by: Baldwin Ng, Senior Product Manager, Microsoft Corporation
Microsoft Assessment and Planning Solution Accelerator (MAP)
Planning to upgrade to 2008? The MAP tool from Microsoft is absolutely essential in helping to plan, assess and inventory your current environment's readiness for 2008 (as well as other O/S and Office solutions - Vista, for example), all while not even needing to install an agent. Get this fantastic FREE product here
PStools - Free, essential tools for all admins
If you haven't heard of the PStools free suite of tools (formerly from SysInternals, now owned by Microsoft), here is a great primer on the suite, and the thinking behind their creation:
The Desktop Files: PStools Primer
The Desktop Files: PStools Primer
Fixing ACLs on Permissioned Resources
ADMT can be used to an extent to re-ACL Servers and Workstations in preparation for migrating to a new domain, however often times mass re-ACL'ing of data (whether to replace or append ACE entries to an ACL) is required for large data moves. A great tool to effectively copy/move/sync source and target data (while retaining security permissions) is Robocopy. This is a freely available tool from Microsoft, and there is even a free GUI front-end for the command-line challenged (or if you just want to avoid fat-fingering a critical data copy/move operation).
In conjunction with Robocopy, you can use the SubInACL free tool to replace/append SIDs to the ACL of each file/folder. SubInACL can be fed a mapping file which maps source to target user names/SIDs. Usually you'll want to start off by appending ACE entries to the ACLs to allow for co-existence (especially if the data migration activities happen to be occuring in parallel with user/group migrations). Once user/group migration activities are complete, and the environment has stabilized, you can re-run SubInACL to remove the unneeded source SIDs.
Remember that when using SIDHistory to access resources, you can only reach back in to the source, and not forward from the source to target. Even when moving data in the above scenario, I would always make it standard practice to be bringing over users with their SIDHistory attribute populated with their source domain SID (attribute name in source: ObjectSID)
As always with SIDHistory, make sure you have it correctly enable on your trust. Different versions of NETDOM (unfortunately you can only do it from a command-line) have different switches to enable SIDHistory. Running a netdom /? will let you know whether you should be using the /EnableSIDHistory:Yes switch, or /Quarantine:No switch. Here are examples:
Netdom Syntax:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes
Depending what security context you're running this command in, you may need to specify source and target domain credentials (syntax again can be found with netdom /?)
Robocopy (included as part of the 2003 Resource Kit - free to licensed Windows users)
Robocopy GUI
SubInACL
In conjunction with Robocopy, you can use the SubInACL free tool to replace/append SIDs to the ACL of each file/folder. SubInACL can be fed a mapping file which maps source to target user names/SIDs. Usually you'll want to start off by appending ACE entries to the ACLs to allow for co-existence (especially if the data migration activities happen to be occuring in parallel with user/group migrations). Once user/group migration activities are complete, and the environment has stabilized, you can re-run SubInACL to remove the unneeded source SIDs.
Remember that when using SIDHistory to access resources, you can only reach back in to the source, and not forward from the source to target. Even when moving data in the above scenario, I would always make it standard practice to be bringing over users with their SIDHistory attribute populated with their source domain SID (attribute name in source: ObjectSID)
As always with SIDHistory, make sure you have it correctly enable on your trust. Different versions of NETDOM (unfortunately you can only do it from a command-line) have different switches to enable SIDHistory. Running a netdom /? will let you know whether you should be using the /EnableSIDHistory:Yes switch, or /Quarantine:No switch. Here are examples:
Netdom Syntax:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes
Depending what security context you're running this command in, you may need to specify source and target domain credentials (syntax again can be found with netdom /?)
Robocopy (included as part of the 2003 Resource Kit - free to licensed Windows users)
Robocopy GUI
SubInACL
Solution Accelerator for Consolidating and Migrating File and Print Servers from Windows NT 4.0
"The Solution Accelerator for Consolidating and Migrating File and Print Servers is a set of documentation which provides guidance on consolidating and migrating file and print servers from Windows NT 4.0 to Microsoft Windows Server 2003 and Windows Storage Server 2003"
Get it here
ADMT User Migration command-line syntax (and examples)
Technet reference article
Credit to Brent Dorrington for the below examples:
Thanks Brent!
Credit to Brent Dorrington for the below examples:
Admt.exe can be used to migrate users from the command-line (if you're sick of the ADMT GUI, or just want to automate/batch/script your migrations):
ADMT USER /N "user_name1" "user_name2" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" /MSS:YES
for /f "tokens=1,2,3* delims=,/ " %%i in (mycsvfile) do ADMT USER /N "%%i" "%%i" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" /MSS:YES
Note: if you are running from command line, remove the 2nd % in above syntax. The above syntax is fine if you are running in a batch file.
If the 1st column isn't command-line, then just increment %i (i.e. 2nd column would be %%j and so on. You will need to increase the tokens if the username is in column 3 or greater.
Thanks Brent!
Well-Known Security Identifiers (SIDs)
Similar to TCP ports, have you ever wondered what all the different Windows SIDs are reserved for? Down below is a quick list of common Well-Known SIDs, and at the bottom of this post you'll find a link to the MKB article with an almost complete list.
First off, here's how a SID breaks down:
Example: S-1-5-21-1674060341-653213906-1520766640-1984
The first character is always an S. It identifies it as a SID
The first number is the SID revision level.
The second number identifies the authority (5 is NT authority)
The third of set of numbers is the domain or local computer identifier
(in this case: 21-1674060341-653213906-1520766640)
The final number (after the last hyphen) is the RID (Registered ID). Any RID that is 1000 or higher is part of a SID generated by the domain's RID Master. RIDs less than 1000 are built-in or created by default and reserved (for example, 500 on the end is reserved for the Administrator account). In the above example, 1984 refers to a created user object's SID.
First off, here's how a SID breaks down:
Example: S-1-5-21-1674060341-653213906-1520766640-1984
The first character is always an S. It identifies it as a SID
The first number is the SID revision level.
The second number identifies the authority (5 is NT authority)
The third of set of numbers is the domain or local computer identifier
(in this case: 21-1674060341-653213906-1520766640)
The final number (after the last hyphen) is the RID (Registered ID). Any RID that is 1000 or higher is part of a SID generated by the domain's RID Master. RIDs less than 1000 are built-in or created by default and reserved (for example, 500 on the end is reserved for the Administrator account). In the above example, 1984 refers to a created user object's SID.
| SID: S-1-5-domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. | ||
| SID: S-1-5-domain-512 Name: Domain Admins Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. | ||
SID: S-1-5-domain-513 Name: Domain Users Description: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default. | ||
SID: S-1-5-domain-514 Name: Domain Guests Description: A global group that, by default, has only one member, the domain's built-in Guest account. | ||
SID: S-1-5-domain-515 Name: Domain Computers Description: A global group that includes all clients and servers that have joined the domain. | ||
SID: S-1-5-domain-516 Name: Domain Controllers Description: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default. | ||
| SID: S-1-5-root domain-518 Name: Schema Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. | ||
SID: S-1-5-root domain-519 Name: Enterprise Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. | ||
| SID: S-1-5-32-544 Name: Administrators Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. | ||
SID: S-1-5-32-545 Name: Users Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. | ||
SID: S-1-5-32-546 Name: Guests Description: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. |
Well-known security identifiers in Windows operating systems
ADMT UPN Issue when Merging Objects (zero appended)
Have you run into a strange issue in ADMT where you see a random zero ("0") or one ("1") appended to a UPN after using ADMT to migrate and merge a source object with a target object?
This happens in ADMT where target accounts, after merged with a source account, are randomly getting a zero appended to their UPN. If you fix the UPNs (using ADSIEdit, ADExplorer, or ADModify) and re-migrate the same batch of users, it will happen again, but to a different, random set of users. A workaround is using ADModify to query for (userprincipalname=*0@domain.com) …then reset their upns to samaccountname@domain.com. It’s a pain to run ADModify after every batch of users however, not to mention keeping track of any accounts to exclude (i.e., Student10@domain.com might accidentally get changed to Student1@domain.com).
This question was raised to the ADMT PM for Microsoft, and his comments were:
It happens when:
To fix it the best practice is to specify SourceName, TargetRDN, TargetSAM and TargetUPN in Include file.
We will be updating existing documentation to cover this better shortly for ADMT v3.1.
This happens in ADMT where target accounts, after merged with a source account, are randomly getting a zero appended to their UPN. If you fix the UPNs (using ADSIEdit, ADExplorer, or ADModify) and re-migrate the same batch of users, it will happen again, but to a different, random set of users. A workaround is using ADModify to query for (userprincipalname=*0@domain.com) …then reset their upns to samaccountname@domain.com. It’s a pain to run ADModify after every batch of users however, not to mention keeping track of any accounts to exclude (i.e., Student10@domain.com might accidentally get changed to Student1@domain.com).
This question was raised to the ADMT PM for Microsoft, and his comments were:
It happens when:
- there is an existing account in the Target domain with same UPN
- an include file is used to specify SourceName and TargetName values and these values are different
To fix it the best practice is to specify SourceName, TargetRDN, TargetSAM and TargetUPN in Include file.
We will be updating existing documentation to cover this better shortly for ADMT v3.1.
Sample SIDMapping file for ADMT
I've noticed the lack of available documentation around SIDMapping files used by ADMT. While they mention them briefly in the ADMT help file, and even in the MKB, there aren't any actual examples. I was originally stuck on this for a bit since I was used to the format of the normal ADMT include files (sourceName,TargetName,etc header on the first line, THEN the values - comma-delimited - on the subsequent line). Something to note: your SIDMapping file can contain multiple source domain SIDs (in a scenario where you're merging multiple source accounts - I've included examples of this below) that map to a single target domain object. I've seen user objects in AD with their SIDHistory attribute populated with 15-20 values. Anyway, below is a sample SIDMapping file I've used in the past. Notice that you can specity either by SID or by domain\username (in the second case, the domains will need to be reachable in order to resolve the domain\username to its actual Security Identifier).
sample sidmapping.txt file (cut and paste into Word, Notepad, etc to see the ends of lines trailing off the page):
S-1-5-21-1674060341-653213906-1520766640-1984,S-1-5-21-219123761-1972038647-3338400271-28241
S-1-5-21-1674060341-653213906-1520766640-5114,S-1-5-21-219123761-1972038647-3338400271-28241
S-1-5-21-602162358-299502267-839522115-2502,S-1-5-21-219123761-1972038647-3338400271-28241
NTDomain\janedoe,NEWCorp\janedoe1
S-1-5-21-1674060341-653213906-1520766640-2202,S-1-5-21-219123761-1972038647-3338400271-22263
S-1-5-21-1674060341-653213906-1520766640-5100,S-1-5-21-219123761-1972038647-3338400271-22263
XYZCorp\johndoe,NEWCorp\johndoe
NTdomain\jdoe,NEWCorp\johndoe
For more information on Security Identifiers (SIDs):
How to use a SID mapping file with the ADMT tool to perform a resource domain migration to Windows Server 2003
sample sidmapping.txt file (cut and paste into Word, Notepad, etc to see the ends of lines trailing off the page):
S-1-5-21-1674060341-653213906-1520766640-1984,S-1-5-21-219123761-1972038647-3338400271-28241
S-1-5-21-1674060341-653213906-1520766640-5114,S-1-5-21-219123761-1972038647-3338400271-28241
S-1-5-21-602162358-299502267-839522115-2502,S-1-5-21-219123761-1972038647-3338400271-28241
NTDomain\janedoe,NEWCorp\janedoe1
S-1-5-21-1674060341-653213906-1520766640-2202,S-1-5-21-219123761-1972038647-3338400271-22263
S-1-5-21-1674060341-653213906-1520766640-5100,S-1-5-21-219123761-1972038647-3338400271-22263
XYZCorp\johndoe,NEWCorp\johndoe
NTdomain\jdoe,NEWCorp\johndoe
For more information on Security Identifiers (SIDs):
How to use a SID mapping file with the ADMT tool to perform a resource domain migration to Windows Server 2003
Why Understanding SIDs is Important
How to Associate a User Name with a Security Identifier
Subscribe to:
Posts (Atom)
Posts
