A restructure requires moving or copying objects from one environment into another. To proceed, you will require a number of tools to help perform the migration. This lesson looks at the tools that you'll use to perform the restructure.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
A variety of tools are used to perform the restructure. You can use some for both intra-forest move and inter-forest copy operations, while others have more specific uses.
Four main tools are available from Microsoft that you can use for inter-forest and intra-forest migrations: Netdom, ADMT, ClonePrincipal, and MoveTree. Their features are compared in Table 9.1.
Table 9.1 Comparison of ADMT, ClonePrincipal, MoveTree, and Netdom Migration Tools
|Performs inter-forest copy||Yes||Yes||No||Yes|
|Performs inter-forest move||Yes||No||Yes||Yes|
|Updates SIDhistory that use resources||Yes||Yes||Yes||No|
|Provides graphical user interface||Yes||No||No||No|
|Can be script-driven||No||Yes||Yes||Yes|
|Preserves passwords||Yes||No||Yes||Doesn't move user account|
|Preserves GUIDs||Yes—in intra-forest||No||Yes||Doesn't move such migrations resources|
|Migrates user profiles||Yes||No||No||No|
|Migrates service accounts||Yes||No||No||No|
|Updates access control lists (ACLs) on resources||Yes||No||No||No|
|Synchronizes time over domains||No||No||No||Yes|
Each of the tools listed in this table are covered in greater depth in the rest of this chapter.
All of the tools described next are supplied in compressed format on the Microsoft Windows 2000 Server and Advanced Server CDs in the Support folders. The tools described here are a subset of those on the CD but are more useful to you in helping with an inter-forest or intra-forest restructure.
SIDWalker is a set of utilities designed to help system administrators manage access-control policies on Windows 2000 and Windows NT systems. These utilities are distributed as the following files: Sidwalk.exe, Showaccs.exe, and Msvcrt50.dll. These utilities are used to assess and redesign the ACLs of all resources (such as the registry, file and folder shares, printer shares, and so on) on a server.
A three-phase approach is required when using SIDWalker tools to modify the access control lists of an object. Each phase can take up to a day or longer to complete and verify, depending on the objects you're changing access controls on. The phases are as follows:
For help on using these utilities once they have been installed, open a command prompt and type showaccs /? or sidwalk /?.
The easiest tool to use is Showaccs because it examines only your system ACLs. For example, if you type showaccs report.txt /s, a file called Report.txt will be created and will contain a list of your network shares on TRAINKIT1. (Don't try this until you install the tool in the next practice.) The file would then need to be edited to work with SIDWalker.
There is also an MMC snap-in component that can be used to map new SID entries onto older ones so that newly created security objects can be given access to resources used by the original SIDs. You can run the snap-in by typing sidwalk.msc at the run command on the Start menu; however, you would be better off reading the documentation that comes with the Windows 2000 support tools to help you understand how to use it.
SIDWalker tools are useful for the following operations:
Ldp is a support tool that can interact with any Lightweight Directory Access Protocol (LDAP) directory such as Windows 2000 Active Directory directory services. It provides a graphical interface to Active Directory, enabling you to view and modify Active Directory objects along with their attributes, and to check whether the objects have been updated and replicated across domain controllers.
Because the Ldp tool can be used to modify and delete entries to Active Directory, it's essential that you back up your system before performing any of these operations. Read the documentation that comes with Ldp if you'd like to understand the various LDAP commands that Ldp supports.
ADSI Edit is another support tool that you can use to view and potentially edit the contents of Active Directory. It is implemented as a Microsoft Management Console (MMC) snap-in. It can be used to search Active Directory and view, change, or delete objects. The searching process can be restricted to particular parts of Active Directory.
The Domain Controller Diagnostic tool can be used to analyze the state of domain controllers in a forest. You can create a framework by which tests are to be performed. The tests available include connectivity, replication, logon rights, and trust verification.
The Dsastat command-line program can be used to compare domain naming contexts. It can give information about the relative numbers of objects in two domains. It can be used in the migration planning phase to determine the size of domains.
The Secedit command-line program can be used to apply templates and analyze system security. It can also be used to force an update on a domain where the security policies have been changed.
During the migration, you'll be using support tools included on the Windows 2000 Advanced Server CD-ROM and the Microsoft Windows 2000 Server Resource Kit. These tools aren't installed by default. You will first install these programs on TRAINKIT1. To perform this practice, you'll need the Windows 2000 Advanced Server CD-ROM. You'll install the tools into the C:\Tools folder. You should have already copied this folder from the Supplemental Course Materials CD-ROM in Chapter 8.
To install the support tools for Windows 2000 on TRAINKIT1
It should be running as a Windows 2000 domain controller in the trainkit.microsoft.com domain.
The Windows 2000 Support Tools Installation dialog box appears.
You should now see an entry for Windows 2000 Support Tools on the Programs menu.
In this lesson, you were introduced to the tools required for a restructure. You installed the tools from the Support folder of the Windows 2000 Advanced Server CD-ROM. You also installed the tools from the Tools folder of the Supplemental Course Materials CD-ROM, many of which come from the Microsoft Windows NT Server Resource Kit and the Microsoft Windows 2000 Server Resource Kit. You were introduced to the four main tools provided by Microsoft for performing migrations: ADMT, ClonePrincipal, MoveTree, and Netdom. A table compared the features of these programs, showing that you can use Netdom to create trust relationships and add computers to the new destination domain, that you can use ClonePrincipal for only inter-forest migrations, that you can use MoveTree for only intra-forest migrations, and that you can use ADMT as a GUI tool for both inter-forest and intra-forest migrations. These tools will be discussed in detail in later lessons of this chapter. You also briefly surveyed other tools that can be useful in performing migrations and administering Active Directory, including Nslookup, Ldp, Secedit, and SIDWalker.