essential the guide - techhosteddocs.ittoolbox.com/essential_guide_nds_ad_migration.pdf · key...
TRANSCRIPT
sponsored by
EssentialGuide
to an NDS-to- Active Directory
MigrationBy David Chernicoff
EssentialGuide
The
2 December 2004
ith the release of Windows Server 2003and a new generation of Active
Directory, many enterprise IT departmentshave decided the time has come to move fromtheir current networking environment toActive Directory. Included in this group is afairly significant contingent with extensivedirectory experience—that is, Novell NetWare,Novell Directory Services (NDS), andeDirectory users. Well aware of Novell,Microsoft has designed tools specifically tohelp move NDS/eDirectory users to ActiveDirectory. You’ll find the tools—MicrosoftDirectory Synchronization Services (MSDSS)and File Migration Utility (FMU)—inMicrosoft Windows Services for NetWare 5.x.
Using Microsoft’s ToolsMSDSS is designed for use in environmentswhere NDS/eDirectory is deployed and whereplans are underway to deploy Windows Server2003. The tool offers two-way synchronizationbetween the directory services, so migratingin one step or allowing long-term coexistencebetween NDS/eDirectory and Active Directoryisn’t necessary. In addition, MSDSS’s singleinterface offers migration, synchronization,and management options for ongoing integra-tion of NDS and Active Directory.
FMU, which is integrated with MSDSS, isdesigned to move data in bulk from NDS toActive Directory networks while maintainingthe appropriate security permissions. Thedata can be copied in one-to-many and
many-to-many modes, which makes possiblecopying from multiple sources to a single des-tination, from multiple sources to multipledestinations, or from a single source to multi-ple destinations. This functionality letsadministrators move appropriate data fromthe old network to the correct locations on thenew network without needing to make multi-ple individual copies, each of which requiresmanual intervention. FMU’s most importantfeature is that users don’t lose access to theirfiles during the migration process.
MSDSS and FMU are functional tools, butthey are basic tools that solve only a smallpart of the overall problem set that anNDS/eDirectory–to–Active Directory migra-tion presents. Complex environments that aretypical of medium to large NDS/eDirectoryenvironments require a flexible, project-basedsolution. A solid, fully functional third-partytool that helps administrators plan, test, andmanage the migration process can ensure asuccessful migration.
Planning theMigrationAs Table 1 shows, significant differences existbetween NDS/eDirectory and ActiveDirectory. Overcoming these differences isn’timpossible but requires careful premigrationplanning. Without detailed information aboutthe existing structure of both theNDS/eDirectory and Active Directory net-works (or only the NDS/eDirectory network ifyou are creating a new Active Directory envi-ronment), the process of migration will behaphazard and fraught with problems.
The first step in the planning process is toconduct a detailed assessment of theNDS/eDirectory environment. Necessary tothis step is a tool that can generate reportsabout your existing hardware and software.Some of the report types you’ll need include:
W
The Essential GuideDecember 2004This special advertising section was produced bythe Windows IT Pro Custom Media Group in con-junction with Quest Software. This supplementappears as an insert in the December 2004 issue ofWindows IT Pro magazine.
December 2004 3
Table 1: Important Differences Between NDS and Active Directory
Key Feature Novell Directory Services/eDirectory Active Directory
Computer Account Only servers authenticate. Server and client computers runningWindows NT or later OS must have acomputer account in the Active Directorydomain.
File ACLs NDS/eDirectory-only file permissions Active Directory doesn’t store fileare stored in the directory. permissions. In Windows Server 2003,Permissions are flexible and file permissions are handled by the file very granular. system. The permissions are less
granular than NDS/eDirectorypermissions.
File Sharing Sharing occurs according to Sharing occurs according to the NTNDS volume. file share.
Group Account Only one group-type account Local, Global, Universal, and DomainLocal Groups
Login Scripting Login scripts can be provided for One logon script through the user individual users and for each OU attribute.that the user is a member of.
Object Naming NDS/eDirectory adheres to strict Object name must be unique to the X.500 naming conventions, which domain; therefore, an object name can require that an object must be unique be used only once. only within its container object. The same object name can be used throughout the directory as long as it isn’t repeated within a container.
Security Security Principles within As defined in Group Accounts, security NDS/eDirectory can be by can be applied to any existing group asorganization role, OU, Group, well as applied universally, to designatedor User. users, or to computers (i.e., anything with
an account in Active Directory).
Security Equivalence In NDS/eDirectory, any object can This functionality isn’t available inbe made equivalent to any other Active Directory. object, so that the equivalent object acquires the original object’s security attributes.
User Account NDS/eDirectory User accounts can Contains 24 attributes that map have almost twice the number of well to crucial NDS/eDirectory attributes. account attributes as Active Directory User accounts.
4 December 2004
• Hierarchical report about all of the con-tainer objects in the NDS/eDirectoryenvironment from a top-down perspec-tive. This report offers an overview of thestructure and contents of the NDS treefrom the root down, as Figure 1 shows.
• Reports about the current securitymodel, including trustees and permis-sions on the data volumes. Figure 2shows one tool’s reporting capability.
• Report about NDS-dependent soft-ware. If applications (such asZENworks) are in use, you’ll need toreplace these dependent applica-tions. Although such replacementmight occur toward the end of yourmigration, you need to plan for it.
• Report that identifies duplicatenames in the NDS tree, as Figure 3 shows. You must identifythese names before migratingbecause they must be unique inActive Directory. If the names areuser accounts, you’ll need toremember to create home directo-
ries for any account names that must bechanged.
• Reports that identify inactive accounts,servers, and objects, such as the oneFigure 4 shows. If your NDS environ-ment contains objects that don’t need tobe migrated, accounts that are no longerin use, or objects that won’t be necessaryin Active Directory, you must identifythem so that they aren’t migrated.
Figure 2: Sample reporting categories
Figure 1: The NDS tree
December 2004 5
Determine the Active DirectoryEnvironment
The next step in the planning process is tomake several decisions about the final ActiveDirectory environment. The specific concernsyou’ll need to consider include but aren’t limited to the following:
• What will the final Active Directorystructure look like: the currentNDS/eDirectory structure, the currentor a redesigned Active Directory structure? Make sure that you canaccomplish your goal within the param-eters of the working environment.
• How will you handle passwords?Because passwords can’t be migrated,you need to decide how to handle thecreation of new passwords and how tosynchronize passwords between
NDS/eDirectory and Active Directorywhile the two environments coexist.
• How will you handle schema exten-sions? Are the extensions necessaryafter the migration? If so, how willattributes be added to Active Directory?Can you discard any extensions?
Network Housecleaning
You have the opportunity now to clean upyour networking environment. Any networkthat’s been in existence for more than a fewmonths will have acquired artifacts that areno longer necessary. This detritus often con-sists of such elements as leftovers from unin-stalled applications (i.e., schema changes,directory structures, account permissions),unused groups that are empty or no longerserve a purpose, and a variety of networkmappings that won’t be necessary in the new
Figure 3: Identifying duplicate users
synchronizations are kept current. Managesynchronization changes carefully. Thesechanges aren’t automatic; rather, administra-tors must identify which objects to synchro-nize, then manually initiate the synchroniza-tion process. Without exercising due care, youcan synchronize a change that overwritesanother change in the directory to whichyou’re migrating. Figure 5 shows a migrationtool that displays the status of NDS/eDirectoryobjects during a migration to Active Directory.
Make sure to make a full backup prior tomigrating. Even the best-laid plans fail occasionally, so be prepared to restore yourenvironments to their premigration state,should that be necessary.
Considerations forMigrations inProgressAfter you begin the migration, you’ll makedecisions according to your migration plan.The first concern you’ll deal with is the newdirectory structure. In your migration plan,
environment. You can make all of these itemsgo away when you migrate to the new directo-ry structure; make sure that you don’t auto-matically drag along this useless informationbecause you haven’t properly evaluated all ofthe data in the NDS/eDirectory directory. Themigration is your chance to get an added ben-efit of starting with a fresh directory structure;there is no need to bring along the clutterfrom the old directory.
Map the Migration
Finally, completely outline the migrationprocess. Create lists of the actions you need totake and the order in which you must takethem. Remember to include a map ofNDS/eDirectory objects and their appropriateActive Directory locations, and plan themigration of the home directories for useraccounts.
It’s crucial to remember that you need tomaintain both NDS/eDirectory and ActiveDirectory during the migration process. Youneed to formulate a plan to manage bothdirectories and to ensure that all necessary
6 December 2004
Figure 4: Identifying inactive user accounts
December 2004 7
Create a planning teamInvolve
❏ IT staff ______________________________________________________________________________❏ Business unit management ____________________________________________________________❏ Corporate management ______________________________________________________________❏ User representatives __________________________________________________________________
Define your goals❏ ______________________________________________________________________________________❏ ______________________________________________________________________________________❏ ______________________________________________________________________________________
Understand your directoriesGenerate NDS/eDirectory reports
❏ User accounts ________________________________________________________________________❏ Duplicate usernames __________________________________________________________________❏ Home directories ____________________________________________________________________❏ Login scripts ________________________________________________________________________❏ Passwords____________________________________________________________________________❏ Group accounts ______________________________________________________________________❏ Duplicate group names ________________________________________________________________❏ Tree structure reports ________________________________________________________________
❏ OUs ______________________________________________________________________________❏ Security principles ____________________________________________________________________❏ Data ______________________________________________________________________________
❏ Security permissions ________________________________________________________________❏ Ownership ________________________________________________________________________
❏ Schema extensions____________________________________________________________________❏ Application-specific ________________________________________________________________
Generate Active Directory Reports❏ User accounts ________________________________________________________________________❏ Groups ______________________________________________________________________________❏ Login scripts ________________________________________________________________________❏ Passwords____________________________________________________________________________❏ Tree structure reports ________________________________________________________________❏ Data ______________________________________________________________________________
❏ ACLs______________________________________________________________________________❏ Ownership ________________________________________________________________________
NDS-to-Active Directory Migration Checklist
8 December 2004
❏ Schema extensions____________________________________________________________________❏ Application-specific ________________________________________________________________
❏ Reconcile the two directories __________________________________________________________❏ Map NDS/eDirectory structure to Active Directory structure ______________________________❏ Determine Active Directory group memberships
for NDS/eDirectory users ______________________________________________________________❏ Redesign Active Directory hierarchy to meet current needs of both migrated
NDS/eDirectory users and existing Active Directory users ________________________________❏ Chart necessary changes ______________________________________________________________❏ Determine data migration needs ______________________________________________________❏ Make sure critical file information is
migrated along with actual data ________________________________________________________
Determine necessary changes to user desktops❏ Drive mappings ______________________________________________________________________❏ Location changes for network resources ________________________________________________❏ Printers ______________________________________________________________________________❏ Client software changes ______________________________________________________________
❏ Installation or removal of client software ______________________________________________
Test plans❏ Develop a migration test plan __________________________________________________________❏ Determine what third-party tools will be
necessary to a successful migration ____________________________________________________❏ Test migration process on a small scale __________________________________________________❏ Determine migration time frame ______________________________________________________
❏ Will maintaining two directories simultaneously be necessary? ______________________________________________________
❏ Can the migration be completed without affecting users? ____________________________________________________________
Double-check prior to actual migration❏ Does the migration plan include disaster contingencies? __________________________________❏ Plan for success as well as failure ______________________________________________________❏ Replacement applications (if required) for users in place? ________________________________❏ Contingency planning complete? ______________________________________________________❏ Evaluate high-probability "what-if" scenarios ____________________________________________
NDS-to-Active Directory Migration Checklist - continued
December 2004 9
Directory Structure
When the new directory structure is in place,you’ll need to populate it. Although plenty ofobjects will vie for your attention, useraccounts are the best place to start. Here iswhere your plans for handling inactiveaccounts, duplicate usernames, and pass-words will be tested first. And, as Table 1shows, login script support is different inNDS/eDirectory and Active Directory, so you’llneed to make necessary accommodations.
you decided either to retain theNDS/eDirectory structure or move to a newlydesigned or existing Active Directory struc-ture. Your migration tool should let you makethese structural changes on the fly, as Figure 6 shows—flattening the existingNDS/eDirectory structure, matching the exist-ing NDS/eDirectory structure, migrating intothe planned Active Directory structure, orimplementing any combination of changesthat suits the needs of the final architecture.Regardless of how well you plan, you mightencounter problems that require you to makeminor changes to your planned directoryarchitecture. For example, NDS/eDirectorybehaves fairly consistently no matter howmany layers deep your tree structure is; ActiveDirectory prefers a flatter, shallower environ-ment with only a few levels of depth for opti-mal performance. Remember to keep condi-tions and factors like this in mind when youplan your migration.
Figure 5: Object status during a migration
NDS/eDirectory behaves fairly consistently no matter how many layers deep your tree structure is; Active Directoryprefers a flatter, shallower environment with only a few levels of depth for optimal performance.
keep rights and permissions synchronizeduntil the migration is complete.
Security ConcernsPay careful attention to the migration of yoursecurity model. You might have SecurityPrinciples in NDS/eDirectory that don’t trans-late well into Active Directory. Evaluate theimpact that creating equivalence to those secu-rity principles will have if you make a directtranslation into Active Directory. You will like-ly find that doing so gives affected users orgroups a far broader range of permissionsthan you would prefer in Active Directory. Youmight find that you need to create new groupmodels and a more granular application of filepermissions to create the security environ-ment you want. NDS/eDirectory has only asingle group type, whereas Active Directory, inWindows Server 2003, has seven (four ofwhich are global). Make careful decisionsabout what types of groups are applicable and
Your migration plan will have determined howto accommodate any new naming conven-tions that you plan to implement or to matchwith existing Active Directory usage. Also, youwill have created a map to guide you inassigning security permissions appropriatelyto newly created groups of migratedNDS/eDirectory users or in providing the necessary permissions and access rights tonew Active Directory users. Your choices willbe to retain each user’s current rights, to mapexisting NDS/eDirectory rights to the equiva-lent Active Directory rights, or to change previous rights to match new Active Directoryrequirements.
Maintaining users’ group membership infor-mation during the migration process is cru-cial. Unless you are working with such a smallnetwork that you can accomplish the migra-tion in one shot, you will need to maintain thetwo directory infrastructures side by side and
10 December 2004
Figure 6: Making structural changes to a directory during a migration
December 2004 11
tion links function (i.e., the links in Office doc-uments and applications), that persistent net-work, printer, and driver mappings function,and that post-logon scripting has the expect-ed and desired results. A significant part ofyour premigration planning mindset is tokeep the migration’s impact on your usersabsolutely minimal. Concerns that attract thenotice of your users will generate help deskcalls that are out of proportion to the actualproblem. Magnify that user dissatisfaction bytens or hundreds of users and you’ll find your-self without sufficient time or personnel todeal with all of the problems that proper plan-ning would have prevented.
Application Transitioning
I’ve focused solely on migrating fromNDS/eDirectory to Active Directory. If yourmigration plans include moving to ExchangeServer from Groupwise, retaining support forGroupwise, or supporting Windows 2000Server along with Windows Server 2003, you’llneed to make specific contingency plans toallow these transitions to take place. Each ofthese applications has its own concerns, asdoes supporting Active Directory on Windows2000 Server and Windows Server 2003.
Sweat the Details
The only way to have a successful migration isto plan the process to the smallest practicaldetail and select the right tools. Before youbegin a migration, be sure you’ll be able toeffectively plan, test, manage, and execute theprocess. ■
make use of NDS/eDirectory’s single securitygroup type to provide your network with thesecurity model you need.
Migrating Data
Although migrating data seems straightfor-ward, the process has its own pitfalls. Youmust maintain file contents and file attributesthroughout the data migration process. Forexample, make sure that users retain owner-ship of their files; if you aren’t careful, you canmistakenly change the ownership of user filesthat you’re migrating to the account that youare using for the migration. File attributeinformation, such as last date accessed andlast date created, are necessary to certain sec-ondary applications, such as backup pro-grams. The goal is to migrate data files whileretaining the same user access permissionsthat were in place before the migration.
Client Concerns
Don’t forget that you must update all clientworkstations involved in the migration.Workstations must be configured to log on tothe Active Directory domain and not theNovell network. (You can accomplish thischange simply by removing the Novell client.)You also must make certain that OLE automa-
David Chernicoff ([email protected])
is a senior contributing editor for Windows IT Pro
magazine. He has been writing computer-related
features and product reviews for more than 15
years and is coauthor of Microsoft Windows XP
Power Toolkit (Microsoft Press).
If you’d like more information about migrationfrom Novell NDS/eDirectory
to Active Directory, visithttp://www.quest.com tolearn more and explore
how Quest NDS Migratorcan simplify and automate
your migration.
W I N D O W S M A N A G E M E N T
More expertise.More efficiency.
More proof.
| A c t i v e D i r e c t o r y | E x c h a n g e | W i n d o w s |
©2004 Q
uest
Soft
war
e,I
nc.
All
righ
ts r
ese
rved.Q
uest
and Q
uest
Soft
war
e a
re t
radem
arks
or
regi
stere
d t
radem
arks
of
Quest
Soft
war
e.A
ll
oth
er
bra
nd o
r pro
duct
nam
es
are t
radem
arks
or
regi
stere
d t
radem
arks
of
their
resp
ect
ive h
old
ers
.M
icro
soft
is
a re
gist
ere
d t
radem
ark
of
Mic
roso
ft C
orp
ora
tion in t
he U
nited S
tate
s an
d o
ther
countr
ies.
12/2
004/I
TP
RO
Pan
el A
d
Get Proof.Get your Yankee Group white paper titled:Migrating from NDS to Active Directory: Lower TCO and Improve ROI today!
www.quest.com/NDS2ADproof
NDS Migrator helps you get from Novell NDS/eDirectory to Active Directory
with less impact on your organization. With its project-based, step-by-step
migration capabilities, NDS Migrator accelerates and automates your move
from NDS to Active Directory. Pre- and post-migration planning allows you
to map organizational units and objects. From complete account, group, and
organizational unit migration to file and directory migration and synchronization,
NDS Migrator covers it all.
“Yankee Group's latest survey data shows 8 out of 10 businesses will do amajor migration in 2005 and 9 out of 10 Novell Netware users polled willswitch from eDirectory to Active Directory.” — Yankee Group
Simply put,Quest gives you more for your NDS to Active Directory migration.
And we can prove it.
For a fast, effective NDS to Active Directory migration, what more do you need?
Organizations are migrating from Novell® NDS/eDirectory to the most comprehensive and valuable directory
solution available: Active Directory. However, these same organizations are demanding more. More than
lengthy project plans. More than error-prone,manual processes. With Quest NDS Migrator,you can accelerate and
automate your migration. In fact,more than 1.2 million users have used NDS Migrator to lower migration costs
and drive quicker ROI from their Windows Server System investment.