Join AD
Join AD.ASU.EDU as a child domain:
✓ Coordinate With : Preparation Task:
| |IT/Win2000 Advisory Team |Submit request for child domain to Windows 2000 Advisory team (via Service Level Agreement) and |
| | |provide information required by the Windows 2000 SLA. |
| |DNS Team |Send IP addresses of ALL NT domain controllers to DNS team. |
| |DNS Team |Send child domain name to DNS team (e.g., ceas.ad.asu.edu, cob.ad.asu.edu). You will need this |
| | |entered as a DNS zone. |
| |DNS Team |Send migration resource domain names (e.g., ceastemp.ad.asu.edu, cobtemp.ad.asu.edu, etc) and DC |
| | |names (e.g., ceas1, ceas2) (if applicable) to DNS team IF you have resource domains that you will be |
| | |migrating into your child domain AND you believe it will take longer than a day to perform the |
| | |migration, AND clients will need to access resources in the migration domain(s) during this period. |
| | |If not, skip this step. |
| |IT Win2000 Support Team |Request account logon/password in AD.ASU.EDU for DCPROMO of your domains. Send request via |
| | |DL.PROJ.Windows2000.Questions |
| |IT Win2000 |Provide all IP subnets that will be used by your servers/clients if you will be joining the |
| |Support Team |Default-first-site (Main campus). This information can be provided to the Windows 2000 Support Team |
| | |via DL.PROJ.Windows2000.Questions. |
| |IT Win2000 |Request an additional UPN (User Principal Name) (for example ceas.asu.edu in addition to |
| |Support Team |ceas.ad.asu.edu) be added if needed by your domain users for logon. Send request via |
| | |DL.PROJ.Windows2000.Questions |
| |IT Win2000 Support Team |Request Site and/or IAS/RAS/RIS/DHCP Authorization delegation as applicable (i.e., if you are going |
| | |to be in a different Site or have RIS or Microsoft DHCP servers) |
| | |- OR - |
| | |Request IT enter all of your current IAS/RAS/DHCP/RIS server IP #’s prior to the upgrade. |
| | |Wait until you have been notified that ALL above actions have been completed by IT teams prior to |
| | |continuing. |
| |IT Win2000 |Coordinate upgrade/migration schedule with IT Win2000 Support Team and DNS Team. They will need to |
| |Support Team/DNS Team |have someone available on-call during the initial part of your upgrade/migration in case there are |
| | |any problems with DNS or joining the ad.asu.edu Forest. |
| | | |
Domain Migration Overview -
| |Upgrade/Configure authentication domain first (via plan above) |
| |Use NetDom or Active Directory Migration Tool (ADMT) to move all Resource domain groups and computers into AD domain OU's. |
| |Upgrade all resource domain Member Servers to Windows 2000 or rebuild. |
| |Move/join all Windows 2000 Member servers into AD domain OU’s. |
| |Move all client computers that used to reside in resource domains into AD domain OU's. |
| |Upgrade remaining DC’s (PDC's first) into fake domain/forest |
| |DCPROMO each domain out of new transitional domain (old PDC's last), and then into AD domain OU's |
Upgrade authentication domain to child domain of AD.ASU.EDU
| |IMPORTANT!!! - Make sure the Network information on EVERY Domain Controller reflects the correct IP address, name, and DNS |
| |suffix (e.g., name=asuw1, DNS Suffix=west.ad.asu.edu) that you previously sent to the DNS team (Network identification and |
| |TCP/IP properties tabs). THIS MUST BE DONE PRIOR TO UPGRADING AN NT DOMAIN CONTROLLER TO WINDOWS 2000. |
| |Download newest versions of DCDIAG, NETDIAG, and Active Directory Migration Tool (ADMT) from Microsoft site. |
| |Bring up a “temporary” BDC into the domain. Make sure it replicates all of the SAM and make an Emergency Repair Disk. Take it|
| |off-line. |
| |Backup the systems you are about to upgrade. |
| |Uninstall/Disable Power Management and Virus tools |
| |Disconnect UPS |
| |Start with the PDC. Take it off of the network during the upgrade. |
| |Once finished with upgrade (but before DCPROMO), take all BDC's off the network and put this PDC back on the network |
| |Upgrade PDC to Windows2000 into a child domain (DCPROMO) |
| |-Choose to "create a new child domain" |
| |-Join an active Forest (AD.ASU.EDU) using the Enterprise Admin password received from IT-Main. |
| |-Do not install DNS on the server (point to ASU DNS server) |
| |-IMPORTANT!!! Write down Local Administrator password you used here and store in an EASILY ACCESSIBLE yet SECURE place. This |
| |password is the ONLY password you can use to restore the domain if needed and there is NO WORKAROUND!!! |
| |-Install Service Packs or Hotfixes as applicable on all DC’s. |
| |-Make Disaster Recovery Disks for all DC’s |
| |-Verify users/groups were migrated correctly (if applicable) |
| |-Verify clients can logon to the domain |
| |-Install Resource Kit and Adminpak.msi |
| |-Run Netdiag (verifies network configuration) |
| |-Run DCdiag (verifies Domain Controller configuration) |
| |-Run ReplMon (verifies replication with root domain) |
| |-FIX ANY PROBLEMS noted by Netdiag, DCdiag, or ReplMon prior to continuing!! |
| |-Make Disaster Recovery Disks (via Disaster Recovery Wizard) |
| |-Perform backup of DC’s, including system state |
| |Make sure your MS DHCP servers are authorized (either via root delegation or via previous coordination with W2K support team) |
| |Bring BDC's (currently NT4) back on the network |
| |Upgrade BDC’s (or rebuild) |
| |-Perform a backup of all DC’s |
| |Install domain management tools (e.g., Resource Kit, Adminpak.msi, etc) on all DC’s or as applicable |
| |Turn on Security auditing (via AD Users and Computers, Domain properties, Group Policy, Computer Configuration, Windows |
| |Settings, Security settings, local policies, audit policies: |
| |Audit Account logon – failure |
| |Audit Account mgmt – success/failure |
| |Audit logon events – failure |
| |Audit policy change – success/failure |
| |Audit privilege use – success/failure |
| |Audit system events – success/failure |
| |Turn on Default Domain Policies (via AD Users and Computers, domain properties, Group Policy, Computer Configuration, Windows |
| |Settings, Security settings): |
| |Password Policy |
| |No maximum password age |
| |Password history = 3 |
| |Minimum password length = 6 |
| |Account Lockout Policy |
| |Account lockout duration = 60 minutes |
| |Reset account lockout count after = 60 minutes |
| |Kerberos Policy |
| |Use all defaults as is. |
| |Event Log Policies |
| |Set log size |
| |Restrict Guest access |
| |Set Retention method |
| |Set Retention period |
| |Add IAS and/or RAS servers to ‘RAS and IAS Servers Group’ as applicable (if not performed by IT in pre-coordination |
| |Make sure there are no DNS or Replication errors in the Event Log before proceeding. Also: |
| |Run Netdiag (verifies network configuration) on all DC’s |
| |Run Dcdiag (verifies Domain Controller configuration) on all DC’s |
| | |
| |FIX ANY PROBLEMS noted by Netdiag, DCdiag, or ReplMon prior to continuing!! |
| |If creating new site, and SITE management delegation has been completed, create site, subnets, and move DC’s into Site as |
| |applicable. Create NTDS settings and License Settings files for the site if they are not created automatically. |
| |-OR- |
| |If joining Default-org-Site (MAIN campus), verify that your IP subnets are in Main site. |
| |Create Global Catalog on servers as applicable. (AD Sites and Services, NTDS Settings File properties for server, Global |
| |Catalog checkbox). NOTE: The replication of the catalog may take considerable bandwidth and time. See pg 76 of Building |
| |Enterprise Active Directory Services – Notes from the Field for registry changes to decrease time for first replication. |
| |Make sure there are no GC, replication, or KCC errors in the Event Log before proceeding (run Dcdiag and Repladmin) |
| |Make domain Native (AD Users and Computers, right click on domain, use Change mode button), then wait 15 minutes before |
| |performing other Directory related functions. |
| |Move FSMO roles as desired (via AD Users and Computers, connect to DC that you want to move the Operations Master to, domain |
| |controller rightclick-menu, Operations Masters, change button). Check Event log for success/failure. NOTE: Infrastructure |
| |master should NOT reside on DC’s that also house GC’s. |
| |Re-establish trusts to Resource domains, even if they appear to be fine (via AD Domains and Trusts, domain properties, trusts). |
| |Create OU’s for Users/Computers and move users/computers (as applicable) |
| |Use a script to change user account attributes as applicable: |
| |Populate Firstname, Lastname fields |
| |Change UPN (User Principal Name) on all user accounts (e.g. to west.asu.edu) if applicable. |
| |Set ACL’s as appropriate |
| |Set up permissions for backup software Service account (must be in backup operators group and if you are backing up the system |
| |state via a 3rd party system, the service account for that software must also be added to the Builtin Administrators group on |
| |each system that you will be backing up the system state on. |
| |Perform a backup of all DC’s and schedule ongoing backups and ER disk creation as applicable |
| |Document which servers run GC’s and FSMO roles. This will be needed for disaster recovery procedures. |
| |If the domain is up and running correctly, you can re-format/de-install the “temporary BDC” that you created in the first step |
| |of the domain upgrade. |
Resource Domains
| |Install a "temporary" BDC into the domain |
| |-Make sure it replicates all of the SAM |
| |-Make an Emergency Repair Disk |
| |-Upgrade it to PDC |
| |Take one of the other BDC's off the network (temporarily as a backup plan if this upgrade fails) |
| |PDC Upgrade (First) |
| |Use the new “temporary” PDC for this. |
| |Backup the system |
| |Uninstall Power Management tools |
| |Disconnect UPS |
| |Take the PDC off of the network during the install |
| |Once finished with install, take all BDC's off the network and put this PDC back on the network |
| |Upgrade PDC to Windows2000 into a "transitional/fake" domain/forest (DCPROMO) |
| |-Chose to "create a new domain/forest" |
| |-Do not install DNS on the server (point to your own DNS server) |
| |-Verify users/groups were migrated correctly (if applicable) |
| |-Verify clients can logon to the domain |
| |Bring BDC's (currently NT4) back on the network |
| | |
| |BDC Upgrades |
| |Upgrade BDC's and join new transitional domain (or rebuild) |
| |Verify upgrade/re-build |
| |Move/clone users and/or groups to AD domain as appropriate |
| |DCPromo out of transitional domain and then back into AD Domain |
| | |
| |Final Tasks |
| |DCPROMO "temporary" new root PDC of transitional domain out of Forest (when no longer needed). |
| | |
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.