  Migrating NT4 to Windows 2003
[30 mn of reading - published 11/15/2004 4:29:57 PM - Target : Confirmé]
|
|
Author
1.
AD Installation
1.1.
Setup
Forest
Root
DC
·
Server name: MYSITEWIDC001
·
IP address:
10.1.13.4/255.255.255.248
o
Gateway: 10.1.13.1
o
DNS & WINS 10.1.13.4 &
10.1.13.5
o
DNS suffix: corp.dom,
corproot.ads
§
Option: Append these DNS suffixes!
o
Disable dynamic DNS update in DHCP
·
Set local administrator password: see
password safe
·
Reboot
·
DCPROMO
o
New domain
o
New
forest
o
Full DNS name: corproot.ads
o
NetBIOS name: corpROOT
o
DB & LOG store:
default=d:\ntds
o
SYSVOL folder: default=d:\sysvol (DNS –
Registration Diagnostics)
o
DNS: install and configure DNS on this
server
o
Permissions compatible only with W2K or
w2K3
o
Restore Mode Password: see password
safe
o
Restart server
§
Nach Restart Fehler 5774 in System-Log und Warnung 7062 ind
DNS-Log zeitgleich
§
Nach zweitem
Restart sind Fehler weg, ggf. Registrierungsversuch nach erstem Neustart obwohl
Server in DNS schon eingetragen.
§
Reboot is essential!
§
After reboot, don’t allow DHCP to make DNS
registration to avoid error messages in logfiles
·
DNS
o
Change Property corproot.ads
§
General -> change (replication
scope)
§
To all DNS Servers in ADS forest
corproot.ads
o
Prepare: Create DNS forwarder for
corp.dom
§
Select Server -> Properties
§
Forwarders
§
NEW: corp.dom
§
IP:address= 0.1.13.20
o
New DNS reverse lookup zone:
§
primary and AD integrated
§
To all DNS Servers in ADS
forest
§
Enter Network ID (10.1.13.-)
§
only secure updates
o
Domain functional level can be changed in
Active directory Users and Computers
§
Raise Domain functional level in
corproot.ads (right click on domain)
·
Raise to Windows Server 2003 (no more W2K
DCs possible)
o
Forest
functional level can be
changed in Active Directory Domains and Trusts
§
Raise
Forest functional level (actual w2k) to Windows Server
2003 (right click on “Active Directory Domains and Trusts”)
·
Exchange 2003
o
Create a user accounts
§
corproot\exorgadmin
·
password: see passwordsafe (have to be a
complex password)
o
Run Exchange ForestPrep on
corpwidc001
§
Insert Exchange 2003 CD
§
Run setup /forestprep
·
Choose corproot\exorgadmin as Exchange
organisation Admin
·
Run SETUP.EXE /domainprep
·
Rename Default-Fist-Site-Name in
MYSITE-Root
·
New sites: MYSITE-corp-Global-Resources, MYSNDSITE
·
New Subnet: 10.1.13.0/29 links to
CORP-Root
·
New Subnet: 10.1.13.16/29 links to
CORP-Central-Global-Resources
·
New Subnet: 10.1.10.0/24 & 11.0.0.0/8
links to CORP
·
Server name: CORPWIDC002
·
IP address:
10.1.13.5/255.255.255.248
o
Gateway: 10.1.13.1
o
DNS & WINS 10.1.13.4 &
10.1.13.5
o
DNS suffix: corp.dom,
corproot.ads
o
Disable dynamic DNS update in DHCP
·
Reboot
·
DCPROMO
o
Adding DC for existing domain
o
User: administrator@corproot.dom
o
Domain: corproot.ads
o
DB & LOG store:
§
DB: d:\ntds
o
SYSVOL folder: d:\sysvol
o
Restore Mode Password: see password
safe
o
Restart server
·
Configure following FSMO Roles on this
server:
o
PDC Emulator
o
Infrastructure Master
o
RID Master
·
DNS
o
Prepare: Create DNS forwarder for corp.dom
(to 10.1.13.20)
·
WINS
o
Configure CORPWIDC001 as replication
partner with CORPWIDC002
o
Configure CORPWIDC002 as replication
partner with CORPWIDC001
·
Server name: CORPWIDC003
·
IP address:
10.1.19.20/255.255.255.248
o
Gateway: 10.1.13.17
o
DNS & WINS 10.1.13.4 &
10.1.13.20
o
DNS suffix: corp.dom,
corproot.ads
·
Disable dynamic DNS update in DHCP
·
Set local administrator password: see
password safe
·
DCPROMO
o
New domain
o
Domain tree in an existing
forest
o
Logon as administrator@corproot.ads
o
Full DNS name: corp.dom
o
NetBIOS name: corp
o
DB & LOG store:
default=d:\ntds
o
SYSVOL folder:
default=d:\sysvol
o
DNS: install and configure DNS on this
server (DNS Registration Diagnostic)
o
Permissions compatible only with W2K or
w2K3 -> Windows NT, 98 & 95
can’t connect to ADS without a ADSI Client.
o
Restore Mode Password: see password
safe
o
Restart server
·
WINS
o
Configure CORPWIDC002 as replication
partner with CORPWIDC003
o
Configure CORPWIDC003 as replication
partner with CORPWIDC002
·
DNS
o
Configure a forwarder for corproot.ads to
10.1.13.4
o
Change IPConfig - DNS/WINS server to
10.1.13.20 & 10.1.13.4
o
Change IPConfig on CORPWIDC001
§
DNS/WINS server: 10.1.13.4 &
10.1.13.20
o
Change IPConfig on CORPWIDC002
§
DNS/WINS server: 10.1.13.5 &
10.1.13.20
o
Change Property corp.dom
§
General -> change
o
To all DNS Servers in ADS forest
corproot.ads
Could take several hours till operational!!! Try periodically
and observe sync of forward lookup zone corproot.ads
§
Error 1844 is possible due to missing DNS
at corproot.ads
o
WINS lookup
§
Choose DNS from corpwidc003
§
Properties from DNS zone
“corp.dom”
§
WINS
Reverse lookup server is himself (10.1.13.20)
§
Do not replicate this record
o
Also WINS lookup configuration and DNS
zones has to be replicated totally.
·
Configure GC on this server (only if a
second DC will installed in “Central Global Resources” and the FSMO roles will
moved to this server)
o
ADS Sites and Services – Sites - Select
appropriate site – Server – Select - NTDS – Settings -> General
o
Check “Global Catalog” (takes several
hours till sync.)
§
Event id 1110 is shown after clicking the
checkbox.
§
Wait until Event id 1119 is shown before
continuing
·
Server name: CORPWIDC004
·
IP address:
10.1.13.21/255.255.255.248
o
DNS & WINS 10.1.13.20 &
10.1.10.105
o
Gateway: 10.1.13.17
o
DNS suffix: corp.dom,
corproot.ads
·
Disable dynamic DNS update in DHCP
·
DCPROMO
o
Adding DC for existing domain
o
Logon with administrator@corp.dom
o
Domain: corp.dom
o
DB & LOG store:
§
d:\ntds
o
SYSVOL folder:
default=d:\sysvol
o
Restore Mode Password: see password
safe
o
Restart server
·
Configure following FSMO Roles on this
server:
o
PDC Emulator
o
Infrastructure Master
o
RID Master
·
DNS
o
WINS lookup
§
Choose DNS from corpwidc004
§
Properties from DNS zone
“corp.dom”
§
WINS
Reverse lookup server is himself
§
Do not replicate this record
·
Server name: CORPWIDC005
·
IP address: 10.1.10.105/24
o
DNS & WINS 10.1.13.20 &
10.1.13.21
o
Gateway: 10.1.10.1
o
DNS suffix: corp.dom,
corproot.ads
·
Disable dynamic DNS update in DHCP
·
Reboot
·
DCPROMO
o
Additional DC for existing
domain
o
User: administrator@corp.dom
o
Domain: corp.dom
o
DB & LOG store:
default=d:\ntds
o
SYSVOL folder:
default=d:\sysvol
o
Restore Mode Password: see password
safe
o
Restart server
o
New DNS reverse lookup zone:
§
primary and AD integrated
§
to all DNS server in forest
corproot.ads
§
Enter Network ID (10.1.10.-)
§
only secure updates
o
WINS lookup
§
Choose DNS from corpwidc005
§
Properties from DNS zone
“corp.dom”
§
WINS
Reverse lookup server is himself (192.168.3.10)
§
Do not replicate this record
§
Also WINS lookup configuration and DNS
zones has to be replicated totally.
·
Configure GC on this server, but wait till
WINS and DNS zones are replicated.
o
ADS Sites and Services
o
Sites
o
Select appropriate site
o
Server
o
Select NTDS – Settings ->
General
o
Check “Global Catalog” (takes several
hours till sync.)
§
Event id 1110 is shown after clicking the
checkbox.
§
Wait until Event id 1119 is shown before
continuing.
·
Change IPConfig - DNS/WINS server to local
machine
·
To use RDP client it’s necessary to use a
user with password
·
IP address: ?????/24; DNS 10.1.19.20;
gateway: ????????; dns suffix: corp.dom, corproot.ads
·
Install all necessary patches from
Windowsupdate
·
DCPROMO
o
Additional DC for existing
domain
o
User: administrator@corp.dom
o
Domain: corp.dom
o
DB & LOG store:
§
DB: d:\ntds
§
Logs: d:\ntds
o
SYSVOL folder: d:\sysvol
o
Restore Mode Password: see password
file
o
Restart server
·
Move
DC
to OU
o
Use ADUC to move the DC to his target
OU
§
“Infrastructure Server.Global
Resources.<Site name>”
·
WINS
o
Use WINS Manager to add Replication
Partner
·
DNS
o
Create DNS forwarder for *
§
Select Server -> Properties
§
Forwarders
§
IP addresses= 10.1.19.20 &
10.1.19.21
o
Check if all DNS zones and WINS DB are
transferred to the local DC you can go on with the next step
o
Change IPConfig – Primary DNS/WINS server
to local machine , secondary to 10.1.19.20
o
New DNS reverse lookup zone: (If not yet
exist)
§
primary and AD integrated
§
to all DNS server in forest
corproot.ads
§
Enter Network ID
§
only secure updates
o
allow Zone Transfer
o
WINS lookup
§
Choose DNS from local DC
§
Properties from DNS zone
“corp.dom”
§
Add WINS Reverse lookup to himself in the
list
·
Configure GC on this server (Can only be
done with a L3 account (Enterprise Manager)
o
ADS Sites and Services
o
Sites
o
Select appropriate site
o
Server
o
Select NTDS – Settings ->
General
o
Check “Global Catalog” (takes several
hours till sync.)
§
Event id 1110 is shown after clicking the
checkbox
§
Wait until Event id 1119 is shown before
continuing
·
Configure DHCP (see chapter
DHCP)
·
Configure Backup (see file DC Backup
Concept.doc)
·
Configure Realtech Monitoring client
·
Install Symantec Anti Virus Client (see
chapter Symantec Antivirus)
·
Create OUs: (Create OU structure with
LDIFDE)
·
Link the “Default Domain Controllers
Policy” directly to all OUs that are containing DC in future (Infrastuckture
Server)
o
Properties of OU
o
GPO
o
Link an existing GPO
·
Move CORPWIDC003 & CORPWIDC004 to
corp Global Resources
·
Move CORPWIDC005 to Infrastructure Server
under MYSITE
·
Still now DNS are setup within
instructions for DC setup.
·
Client settings
o
The first DNS server in every side will be
the primary DNS server for each client
o
The second DNS server in every side will
be the secondary DNS server for each client. If there isn’t a second DNS server
the secondary DNS server will be a server from Central Global
Resources
·
Still now WINS are setup with the
instructions for DC setup.
·
WINS
replication
o
Replication Partner (Push and
Pull)
§
corpwidc003 with every first DC on each
site and corpwidc004
§
every first DC on each site with
corpwidc003 and the second and maybe third DC in the site.
o
Don’t create a WINS
Loop! WINS
topology have to be a star struckture!
·
Create a new scope
o
Name: ??????
o
Scope: ???????
o
Lease time: ????
o
Gateway: ????????
o
Domain: corp.dom, ???
o
DNS server: ????
o
WINS server: ????
o
No. I will activate later
o
Enable dynamic DNS update (Zone
Properties)
·
If a second DC exists on a location, we
could create another scope on this server too.
·
Add DFS Snap-in to MMC
·
New root
·
Domain root
·
Domain: corp.dom
·
Choose the server who will hosting the
root: corpwimx010
·
Root name: CORPFS
·
Share folder: D:\DFS
·
Get time from another DC
o
net stop w32time
o
net start w32time
o
Check system event log!
·
corpwidc002 can’t get time from another
DC because it’s the top of time hierarchy
o
run on corpwidc002: w32tm /config
/manualpeerlist:1.0.6.62 /syncfromflags:MANUAL
·
to get time from CORPNW02 (NetWare 6 with NTP
Service)
o
net stop w32time
o
net start w32time
o
w32tm /resync
·
If you have problems try:
o
net stop w32time
o
w32tm /unregister
o
w32tm /register
o
net start w32time
o
w32tm /resync
·
Install IIS on corpvmas015
o
Control Panel – Add/Remove Software
o
Windows Components – Application
Server
·
Install SUS as typical
·
Internet Explorer Menue - Tools –
Option - Security – Trusted
Sites
o
Add local server in security class medium
because otherwise the SuS Homepage won’t be displayed.
·
Configure SUS
o
Set options
·
Proxy: 10.1.14.23:180
·
Servername for clientes =
corpvmas015
·
No replacement
·
No auto approve
·
Store files at local directory
D:\SUS
·
mark only Englisch
o
Approve only W2k3 updates
o
Edit GPO for DC
·
Computer Configuration
·
Administrative Templates
·
Windows Components
·
Windows Update
·
Automatic Updates: Enable
o
Automatic Update: (4) Auto download and
schedule installation
o
Install day: (0) every day
o
Install time: 3:00 am
·
Service Location: http://corpvmas015 (for intranet updates and
statistics)
·
Reschedule: 5 min.
·
Uninstall
o
Double click on
tGAgent_2.3.1014_WinNT_Win2000_Win2003\setup.exe
o
Choose Uninstall
o
Follow the wizard
o
Remove the proper folder in
C:\ProgramFiles
·
Installation
o
Double click on
tGAgent_2.3.1014_WinNT_Win2000_Win2003\setup.exe
o
Choose Typical
o
Follow the wizard
·
Copy start & stop batch files in
C:\Documents and Settings\All Users\Desktop
·
Advice System-Administration to install
the data collector (if necessary)
·
Ensure that (Windows DeviceManager) the
proper Broadcom driver (7.33) is installed
·
Broadcom NetXtreme Gigabit Ethernet
Software CD for the BCM570x
NetXtreme Gigabit Ethernet Adapter - RELEASE 7.0.5 - (12/03/2003)
·
Insert the Cd and launch Launch.exe if
AutoPlay not works
o
Click on MANAGEMENT PROGRAMS
·
Choose Control Suite and BASP
·
Follow the wizard to the end
·
Configure the driver
o
Open Broadcom Control
Suite 2 (Control
Panel)
·
Tools
·
Create a team
o
Type in a unique name for the (NIC)
team
o
Choose Smart Load Balance and Fail
Over
o
Assign at least one NIC to Load Balance
Members
o
Assign at least one NIC to
StandbyMember
o
Finish
·
File
·
Apply
·
Configure new NIC
o
Open Control Panel
·
Open Network Connections
·
Configure SmartLoadBalanceTeam - BASP
Virtual Adapter
o
Assign the IP of the machine to this
adapter
·
Ensure that all NICs are
enabled
·
Verify that the TCP / IP Protocol on the
other NICs is disabled
·
Check with ipconfig /all & ping that
the machine responds test if FaultTolerance works
·
Install SAV 8.1 server on “corpvmas015”
·
Server group: SAV for Domain
Controller
·
Group password: see password
file
·
Install SSC (Symantec System Console is an
MMC SnapIn)
·
Promote “corpvmas015” to Symantec Primary Server
·
Install Clients (it have to done after each DC
installation)
o
SSC – Extras – NT Client Installation
o
After Installation select SAV group primary server and move newly
installed server into dedicated SAV group
·
Add folder exceptions for realtime
protection
o
SSC – System Stucture – “Symantec
Antivirus Server” – Group – new Group: “DC”
o
All Tasks – Symantec Antivirus – option
for client realtime protection
o
Exclude following folders
·
D:\ntds
·
C:\Windows\ntfrs\jet\
·
D:\sysvol\domain
·
D:\sysvol\staging
o
Get
updates every 1440 minutes (1 day)
o
Move all
DCs to the new group
·
Configure Live Update to get Updates from
Symantec once a week on Frieday at 6:00 pm
See file DC Backup Concept.doc
1.3.11.1
Daily GPO Backup
-
Create a backup from GPOs on
corpwidc003
o
Create GPO_Backup.cmd in
C:\Program Files\GPMC\Scripts
rd D:\Backup\GPO
/q /s
md
D:\Backup\GPO
cscript
"c:\Program Files\GPMC\Scripts\BackupAllGPOs.wsf"
D:\Backup\GPO
o
Start, Control Panel,
Scheduled Tasks, Add Scheduled Task
§
Browse to C:\Program
Files\GPMC\Scripts
·
Select
gpo_backup.cmd
·
Daily
o
Start Time: 05:00
pm
o
Perform this task: Every
Day
o
Enter User Credentials
for Backup account
§
corpDOM DC
Backup
§
Take a Full DC Backup
o
Start, run, ntbackup
§
Run Backup Wizard
·
Backup everything on this
computer
·
Place backup in
D:\Backup\<Servername>_Fullbackup.bkf
·
Advanced
o
2 x Next
§
Replace existing backups
§
Allow only the owner and the Administrator
access to the backup
o
Take a file Backup from the
“<Servername>_Fullbackup.bkf” with the site backup tool
·
Create a new GPO with Tool “Group Policy
Management” because default GPO should not be modified.
o
Name:
CORPDOM-Users-PasswordSettings
o
Set Link order to 1
o
Edit GPO
·
Computer Configuration
·
Windows Settings
·
Security Settings
·
Account Policy
·
History: 5
·
Maximum age: 30
·
Minimum age: 0
·
Length: 6
·
Complexity: Disabled
o
Link policy to domain corp.dom
o
User Settings disabled to increase
performance
·
Create
“CORPDOM-DC-AutidSettings”
o
Start, Run, gpmc.msc
o
Select domain gpo
o
Edit
§
Computer Configuration
§
Windows Settings
§
Security Settings
§
Local Policies
§
Audit Policy
·
Audit account management
o
Failure
·
Audit account Logon events
o
Failure
·
Audit directory service access
o
Failure
·
Audit Logon events
o
Failure
·
Audit Policy change
o
Failure
o
Success
·
Audit object Access
o
Failure
·
Audit System events
o
Failure
o
Success
·
Add global group to local Administrators
group
o
MYSITE-Client-AddGlobalToLocal.vbs
On Error Resume Next
Set objNetwork =
CreateObject("WScript.Network")
strComputername =
objNetwork.Computername
Set objDomain =
GetObject("WinNT://corp,domain")
Set objComputer = GetObject("WinNT://"
&strComputername & ",computer")
arrPossibleAdmins = Array("Administradores",
"Administrateurs", "Administrators", "Administratoren","Administratori")
For Each strPossibleAdmin In arrPossibleAdmins
Set
objLocalgroup = objComputer.GetObject("group",strPossibleAdmin)
If
IsObject(objLocalgroup) Then
Set objGlobalgroup1 = GetObject("WinNT://corp/G-TM-FRCORP-SM")
Set objGlobalgroup2 = GetObject("WinNT://corp/G-TM-FRCORP-UHD")
If Not objLocalgroup.isMember(objGlobalgroup1.ADsPath) Then
objLocalgroup.Add objGlobalgroup1.ADsPath
End If
If Not objLocalgroup.isMember(objGlobalgroup2.ADsPath) Then
objLocalgroup.Add objGlobalgroup2.ADsPath
End If
End If
Next
Set objNetwork = Nothing
Set objDomain = Nothing
Set objComputer = Nothing
Set objLocalgroup = Nothing
Set objGlobalgroup1 = Nothing
Set objGlobalgroup2 = Nothing
o
Note the place where you've saved your
Script.
o
Create GPO
§
Start, Run, Gpmc.msc
§
Go to Group Policy Objects in GPMC:
·
New, "MYSITE-Client-AddGlobalToLocal" (GPO
Name)
·
Edit on
"MYSITE-Client-AddGlobalToLocal
o
Computer Configuration
§
Windows Settings
·
Scripts
·
Startup
o
Add
§
Browse
§
Open Windows-Explorer
§
"Cut" your Script
§
"Paste" in the "Browse"-Window
o
Open
§
Select the script that you've put in here
and click Open
o
OK
o
Link GPO
§
Select OU "Computers" in site
MYSITE
·
Link an Existing GPO...
o
Select "MYSITE-Client-AddGlobalToLocal" –
GPO
o
OK
|
510 Hits
Sofiane BEHRAOUI
[40 mn of reading - published 11/15/2004 3:30:25 PM - Target : Confirmé]
[20 mn of reading - published 11/15/2004 2:29:35 PM - Target : Confirmé]