logging in or signing up Moving to WS2003 mahesh.be7 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 52 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: October 22, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Moving to Windows Server 2003 from Windows 2000 : Moving to Windows Server 2003 from Windows 2000 Dave Sayers, Senior Consultant Windows Team, Microsoft Services Organisation Agenda : Agenda Benefits of Upgrading from Windows 2000 Upgrading from Windows 2000 Taking inventories Using ADPrep Post-installation tasks Functional Levels Tips and Tricks Benefits of Upgrade : Benefits of Upgrade Windows Server 2003 Active Directory an evolutionary step Improvements in the existing feature set Security fixes Secure by default New features Straightforward upgrade path Benefits of Upgrade : Benefits of Upgrade Cross Forest Kerberos trust Improved Replication Link Value Replication, No GC Full Synchronisation No 5000 member group Limit Domain Rename Application Partitions Branch Office Improvements KCC, GC Caching Rapid GC Demotion Benefits of Upgrade : Benefits of Upgrade Schema “Defunct” Lingering Object Removal LDAP Improvements Virtual List View Support Correct Auxiliary Class Support InetOrgPerson Lightweight LDAP authentication Dynamic Entries Single Instance Store Benefits of Upgrade : Benefits of Upgrade Resultant Set Of Policy (RSOP) Planning and Reporting Modes Many new policy settings Filtering via WMI query Dynamically evaluate query and apply GP on result Group Policy Management Console Important Active Directory ChangesImproved Security Settings : Important Active Directory ChangesImproved Security Settings Allow anonymous SID / name translation policy Clients in NT 4.0 resource domains may experience: “Account Unknown” in ACL editor Authentication failure by Microsoft and Outlook clients Intermittent results as Secure Channels move between 2000 / 2003 DCs Everyone group Important Active Directory ChangesImproved Security Settings : Important Active Directory ChangesImproved Security Settings Pre-Windows 2000 compatible access If Everyone is in Pre-Windows 2000 Compatible Access group, then: Anonymous Logon and Authenticated Users are added Enterprise Domain Controllers is added to Windows Authorization Access group Everyone may have been removed by the administrator Common on 2000 domains upgraded from NT 4.0 “ Enforce SMB signing” enabled Integrity of the client Upgrade from Windows 2000Overview : Upgrade from Windows 2000Overview Easy upgrade process No AD or OU namespace planning required No DNS namespace, deployment, or delegation conflicts No user / workstation / profile migration Windows 2003 Server DCs Can play any role in Windows 2000 forest / domain Are fully compatible with Windows 2000 DCs How to introduce 2003 DCs? Add new DCs with DCPROMO Upgrade of existing 2000 DC (Winnt32.exe) Upgrade Steps : Upgrade Steps Check domain controllers’ SP level SP1 with QFE265089 required SP2 recommended Inventories Client/Domain Controller/Schema Prepare forest Adprep /forestprep Prepare domain(s) Adprep /domainprep Install Windows Server 2003 Member Server Run dcpromo Upgrade other domain controllers Client InventoryUpdate Windows 95 and Windows NT 4.0 Clients : Client InventoryUpdate Windows 95 and Windows NT 4.0 Clients Security default on Server 2003 DCs By default, “Enforce SMB Signing” is enabled Temporarily relax settings on DCs or update clients Windows 95 Install DS client or new operating system Windows NT 4.0: SP3 or later required, SP6a recommended (DFS) All other Microsoft network clients No action required Latest SPs are always recommended DC InventoryADPREP Operations and Mitigation : DC InventoryADPREP Operations and Mitigation ADPREP Adds new permissions, objects, and attributes Protect Schema update and index rebuild Schema Delete: fixed in SP2 or QFE Mandatory Inefficient replication of schema deltas: SP3 or QFE Optional for small domains with fast links Index Replication Delay: SP3 or QFE Optional for large domains 2000 DCs must have SP2 to source AD from 2003 DC* * If hosting application partitions DC InventoryQFE Strategy for 2000 DCs : DC InventoryQFE Strategy for 2000 DCs Guiding principals Do not let ADPREP drive forest-wide SP installation Single QFE resolves all ADPREP issues on SP1 → SP3 DCs Install performance fixes if you cannot tolerate outage Mixed version domains The faster you get to all 2003 DC forests, the less you need 2000 SP3 Extended 2000 / 2003 interoperability Windows 2000 SP3 + SP3 regressions + NTFRS.EXE + NTDSA.DLL QFE Inventory for DCs with 2003 REPADMIN /SHOWATTR See KB article 331161 for detailed explanation on QFEs DC InventoryDC, Domain, and Forest Health : DC InventoryDC, Domain, and Forest Health For each domain in the forest verify: FSMOs Accounted for and correctly located Schema + infrastructure used by ADPREP Event logs No significant replication, topology, or other events NETLOGON and SYSVOL Shares exist and contents synchronized by FRS DCs applying Policy - 1704 in application log, no 1202s DCs have free disk space AD database: Free space = 15-20% of NTDS.DIT size AD logs: Free space = 15-20% of *.log files DLT Service (optional) Stop service and delete object if not used - 312403 System state backups Backup two DCs in each domain in the forest DC InventoryReplication Health : DC InventoryReplication Health Tombstone lifetime (TSL) and AD object deletion model Goal: Transitive replication of deltas between all DCs in the forest hosting a particular NC Blockers: Connectivity, DNS configuration, authentication, offline DCs, disjointed topologies, incorrect site or BridgeHead selections, replication errors Do not decrease this value lightly, and do not increase above default Demote DCs not replicating OB or IB deltas in TSL days DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc. Exception: All or last DC in domain or alternate replication path Forest-wide replication check 2003 REPADMIN on XP or 2003 member against 2000 or 2003 DCs REPADMIN /SHOWREPL * /CSV + Excel Autofilter for drilldown DC InventoryREPADMIN /REPLSUM : DC InventoryREPADMIN /REPLSUM DC InventoryPlans for Non-Replicating DCs : DC InventoryPlans for Non-Replicating DCs Connection fails for > 60 days DC3 not replicating IB OB deltas from \\DC1 Alternate path exists? Fix error and keep moving No IB / OB replication > 60 days DC3 not replicating IB or OB deltas Replicas for DC3 NCs exists? Yes - forced demote DC3 No - fix replication, then clean up lingering objects later Disjoint topology All DCs report replication success No “bridge” between site links Clean up lingering objects later Site Link ABC Site Link DEF \\DC3 \\DC3 \\DC1 \\DC1 \\DC2 \\DC2 Schema InventoryExchange 2000 and SFU : Schema InventoryExchange 2000 and SFU E2K already installed before 2003 ADPREP? E2K ADPREP defines two non-RFC attributes LabeledURI + Secretary ADPREP /FORESTPREP defines same attributes Result: Mangled LDAPDISPLAYNAMES Fix: “Exchangefix.ldf” from Support\Tools on 2003 CD Specify full path and wrap forest root DN in quotes E2K to be installed before 2003 DCs? Execute 2003 ADPREP or 2000 InetOrgPerson Kit first SFU 2 SFU 2 defines UID incorrectly Adprep cannot extend unless QFE is applied KB articles: 325379 and 293783 ADPREP /FORESTPREPPreparing the Forest : ADPREP /FORESTPREPPreparing the Forest Client, DC, and schema inventory complete; backups made E2K / SFU schema conflicts resolved ADPREP /FORESTPREP Adds new SDs, attributes, and objects One time operation in each forest Run on console of schema FSMO Enterprise Administrator and Schema Administrators rights required SYNTAX X:\i386\ADPREP /FORESTPREP Where X is the fully qualified path to the 2003 media Do NOT execute ADPREP changes manually Verification “Command completed successfully” in ADPREP CN=Windows2003Update in configuration NC for all DCs in forest IB replication by all DCs in forest \System32\Debug\Adprep\Logs\<Latest log> ADPREP /DOMAINPREPPreparing Each Domain : ADPREP /DOMAINPREPPreparing Each Domain ADPREP /DOMAINPREP Adds new SDs in Domain NC and SYSVOL Changes from ADPREP /FORESTPREP must replicate in One time operation on infrastructure FSMO in each domain Requires domain administrator rights in target domain SYNTAX X:\i386\ADPREP /DOMAINPREP Where X is the fully qualified path to the 2003 media Verification “Command completed successfully” in ADPREP CN=Windows2003Update in Domain NC\SYSTEM… IB replication by all DCs in the domain \System32\Debug\Adprep\Logs\<Latest log> Install from Media PromotionsSourcing AD and GCs from a Local Backup : Install from Media PromotionsSourcing AD and GCs from a Local Backup Overview Create system state backup from existing 2003 DC Restore backup to a LOCAL drive on a 2003 member Run “DCPROMO /ADV” IFM rules DC being promoted must be on the network Only replica DCs are supported for IFM promotion Backup must be created from a 2003 DC in same domain Backup must have originated from GC to source that NC Move / copy rules for NTDS.DIT + log files Unattended IFM promotions supported Post Upgrade / Install OperationsVerifying the New DC : Post Upgrade / Install OperationsVerifying the New DC DC is healthy NETLOGON + SYSVOL shares exist DC responds to LDAP, RPC, and logon requests SRV, CNAME, and A records are registered in DNS FRS: Add canary file on local + direct replication partner Active Directory: REPADMIN /SHOWREPS Policy being applied as noted by Event 1704 Event log clean – may see event 1931 on 2000 upgrades Admin Tools : Admin Tools Windows 2003 AdminPak.msi installs on: Windows 2003 XP SP1 Some tools sign and encrypt LDAP traffic between client and domain controller: Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Schema Active Directory Users and Computers ADSI Edit Dsmove.exe Dsrm.exe Dsadd.exe Dsget.exe Dsmod.exe Dsquery.exe Group Policy Management Console Object Picker Admin Tools : Admin Tools LDAP Signing only available on Windows 2000 SP3 and higher Windows 2003 Admin Tools administering Windows 2000 SP2 DC: LDAP signing and encryption of these tools can be disabled – not recommended – KB 325465 Post Upgrade / Install OperationsMore Best Practices : Post Upgrade / Install OperationsMore Best Practices Backup Create a new system state backup – mark old backups FSMO roles Transition PDC and Domain Naming Master to 2003 DC Install GPMC Schedule backups of Group Policy Test new policy in test domains then import Deal with DLT Restart service or delete objects incrementally objects according to KB article 312403 Monitor To not monitor AD is to fail Post Upgrade / Install OperationsMore Best Practices : Post Upgrade / Install OperationsMore Best Practices Account Lockout Evaluate account lockout settings SP4 or 812499 (QFE ready; KB pending) on W2K DCs in the domain Install Resource Kit tools ACCTINFO and LOCKOUTSTATUS NTDS Quotas Set using DSadd Restrict number of objects that can be created in the directory ACCTINFO Property Page : ACCTINFO Property Page Additional Account Info tab in AD Users and Computers snap-in Domain Password Policy Users computer name used to change password on DC in AD same site Lockoutstatus.exe : Lockoutstatus.exe Runs as a stand-alone utility or extension to ACCTINFO. Shows bad password count and time across all DCs in domain. Functional LevelsGetting to the Good Stuff : Functional LevelsGetting to the Good Stuff Model to introduce new behavior into the operating system Advanced by admin when all DCs in “scope” are upgraded Analogy: Windows 2000 native mode (on steroids) Levels can only be increased – no rollback As you advance, earlier DC versions are ignored Clients are never impacted Available functional levels Windows 2003 Server domain functionality Windows 2003 Server interim forest functionality Not relevant in this scenario Windows 2003 Server forest functionality Domain Functional Levels : Domain Functional Levels Domain Functional Levels (2) : Domain Functional Levels (2) Forest Functional Levels : Forest Functional Levels Goals by Functional LevelRun, Don’t Walk! : Goals by Functional LevelRun, Don’t Walk! Forest functional level changes Link Value Replication for Large group membership 7MM users tested + more efficient deletion KCC scalability improved 3000 sites a reality KCC branch office mode Fault tolerance with a static KCC generated topology To be documented in 2003 Branch Office Guide Change from 5 minute to 15 second intrasite replication latency Why would you not go to FFL as fast as you could? Application compatibility should be the only reason Trips and TricksGood Things to Know : Trips and TricksGood Things to Know Initial Sync requirements FSMOs must sync hosting NC before they will function GC Sync requirements Must sync all NCs in the forest before advertising Faster to remove objects than Pre-SP3 2000 DCs Secedit /refereshpolicy replaced by GPUPDATE XP and 2003 is “the” management platform 2003 REPADMIN, GPMC, Resultant Policy, 2003 Admin Pack 2003 Admin Pack ADUC: RAS dial-in tab removed on XP Installs on XP and 2003 clients only Slide 35: © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Moving to WS2003 mahesh.be7 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 52 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: October 22, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Moving to Windows Server 2003 from Windows 2000 : Moving to Windows Server 2003 from Windows 2000 Dave Sayers, Senior Consultant Windows Team, Microsoft Services Organisation Agenda : Agenda Benefits of Upgrading from Windows 2000 Upgrading from Windows 2000 Taking inventories Using ADPrep Post-installation tasks Functional Levels Tips and Tricks Benefits of Upgrade : Benefits of Upgrade Windows Server 2003 Active Directory an evolutionary step Improvements in the existing feature set Security fixes Secure by default New features Straightforward upgrade path Benefits of Upgrade : Benefits of Upgrade Cross Forest Kerberos trust Improved Replication Link Value Replication, No GC Full Synchronisation No 5000 member group Limit Domain Rename Application Partitions Branch Office Improvements KCC, GC Caching Rapid GC Demotion Benefits of Upgrade : Benefits of Upgrade Schema “Defunct” Lingering Object Removal LDAP Improvements Virtual List View Support Correct Auxiliary Class Support InetOrgPerson Lightweight LDAP authentication Dynamic Entries Single Instance Store Benefits of Upgrade : Benefits of Upgrade Resultant Set Of Policy (RSOP) Planning and Reporting Modes Many new policy settings Filtering via WMI query Dynamically evaluate query and apply GP on result Group Policy Management Console Important Active Directory ChangesImproved Security Settings : Important Active Directory ChangesImproved Security Settings Allow anonymous SID / name translation policy Clients in NT 4.0 resource domains may experience: “Account Unknown” in ACL editor Authentication failure by Microsoft and Outlook clients Intermittent results as Secure Channels move between 2000 / 2003 DCs Everyone group Important Active Directory ChangesImproved Security Settings : Important Active Directory ChangesImproved Security Settings Pre-Windows 2000 compatible access If Everyone is in Pre-Windows 2000 Compatible Access group, then: Anonymous Logon and Authenticated Users are added Enterprise Domain Controllers is added to Windows Authorization Access group Everyone may have been removed by the administrator Common on 2000 domains upgraded from NT 4.0 “ Enforce SMB signing” enabled Integrity of the client Upgrade from Windows 2000Overview : Upgrade from Windows 2000Overview Easy upgrade process No AD or OU namespace planning required No DNS namespace, deployment, or delegation conflicts No user / workstation / profile migration Windows 2003 Server DCs Can play any role in Windows 2000 forest / domain Are fully compatible with Windows 2000 DCs How to introduce 2003 DCs? Add new DCs with DCPROMO Upgrade of existing 2000 DC (Winnt32.exe) Upgrade Steps : Upgrade Steps Check domain controllers’ SP level SP1 with QFE265089 required SP2 recommended Inventories Client/Domain Controller/Schema Prepare forest Adprep /forestprep Prepare domain(s) Adprep /domainprep Install Windows Server 2003 Member Server Run dcpromo Upgrade other domain controllers Client InventoryUpdate Windows 95 and Windows NT 4.0 Clients : Client InventoryUpdate Windows 95 and Windows NT 4.0 Clients Security default on Server 2003 DCs By default, “Enforce SMB Signing” is enabled Temporarily relax settings on DCs or update clients Windows 95 Install DS client or new operating system Windows NT 4.0: SP3 or later required, SP6a recommended (DFS) All other Microsoft network clients No action required Latest SPs are always recommended DC InventoryADPREP Operations and Mitigation : DC InventoryADPREP Operations and Mitigation ADPREP Adds new permissions, objects, and attributes Protect Schema update and index rebuild Schema Delete: fixed in SP2 or QFE Mandatory Inefficient replication of schema deltas: SP3 or QFE Optional for small domains with fast links Index Replication Delay: SP3 or QFE Optional for large domains 2000 DCs must have SP2 to source AD from 2003 DC* * If hosting application partitions DC InventoryQFE Strategy for 2000 DCs : DC InventoryQFE Strategy for 2000 DCs Guiding principals Do not let ADPREP drive forest-wide SP installation Single QFE resolves all ADPREP issues on SP1 → SP3 DCs Install performance fixes if you cannot tolerate outage Mixed version domains The faster you get to all 2003 DC forests, the less you need 2000 SP3 Extended 2000 / 2003 interoperability Windows 2000 SP3 + SP3 regressions + NTFRS.EXE + NTDSA.DLL QFE Inventory for DCs with 2003 REPADMIN /SHOWATTR See KB article 331161 for detailed explanation on QFEs DC InventoryDC, Domain, and Forest Health : DC InventoryDC, Domain, and Forest Health For each domain in the forest verify: FSMOs Accounted for and correctly located Schema + infrastructure used by ADPREP Event logs No significant replication, topology, or other events NETLOGON and SYSVOL Shares exist and contents synchronized by FRS DCs applying Policy - 1704 in application log, no 1202s DCs have free disk space AD database: Free space = 15-20% of NTDS.DIT size AD logs: Free space = 15-20% of *.log files DLT Service (optional) Stop service and delete object if not used - 312403 System state backups Backup two DCs in each domain in the forest DC InventoryReplication Health : DC InventoryReplication Health Tombstone lifetime (TSL) and AD object deletion model Goal: Transitive replication of deltas between all DCs in the forest hosting a particular NC Blockers: Connectivity, DNS configuration, authentication, offline DCs, disjointed topologies, incorrect site or BridgeHead selections, replication errors Do not decrease this value lightly, and do not increase above default Demote DCs not replicating OB or IB deltas in TSL days DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc. Exception: All or last DC in domain or alternate replication path Forest-wide replication check 2003 REPADMIN on XP or 2003 member against 2000 or 2003 DCs REPADMIN /SHOWREPL * /CSV + Excel Autofilter for drilldown DC InventoryREPADMIN /REPLSUM : DC InventoryREPADMIN /REPLSUM DC InventoryPlans for Non-Replicating DCs : DC InventoryPlans for Non-Replicating DCs Connection fails for > 60 days DC3 not replicating IB OB deltas from \\DC1 Alternate path exists? Fix error and keep moving No IB / OB replication > 60 days DC3 not replicating IB or OB deltas Replicas for DC3 NCs exists? Yes - forced demote DC3 No - fix replication, then clean up lingering objects later Disjoint topology All DCs report replication success No “bridge” between site links Clean up lingering objects later Site Link ABC Site Link DEF \\DC3 \\DC3 \\DC1 \\DC1 \\DC2 \\DC2 Schema InventoryExchange 2000 and SFU : Schema InventoryExchange 2000 and SFU E2K already installed before 2003 ADPREP? E2K ADPREP defines two non-RFC attributes LabeledURI + Secretary ADPREP /FORESTPREP defines same attributes Result: Mangled LDAPDISPLAYNAMES Fix: “Exchangefix.ldf” from Support\Tools on 2003 CD Specify full path and wrap forest root DN in quotes E2K to be installed before 2003 DCs? Execute 2003 ADPREP or 2000 InetOrgPerson Kit first SFU 2 SFU 2 defines UID incorrectly Adprep cannot extend unless QFE is applied KB articles: 325379 and 293783 ADPREP /FORESTPREPPreparing the Forest : ADPREP /FORESTPREPPreparing the Forest Client, DC, and schema inventory complete; backups made E2K / SFU schema conflicts resolved ADPREP /FORESTPREP Adds new SDs, attributes, and objects One time operation in each forest Run on console of schema FSMO Enterprise Administrator and Schema Administrators rights required SYNTAX X:\i386\ADPREP /FORESTPREP Where X is the fully qualified path to the 2003 media Do NOT execute ADPREP changes manually Verification “Command completed successfully” in ADPREP CN=Windows2003Update in configuration NC for all DCs in forest IB replication by all DCs in forest \System32\Debug\Adprep\Logs\<Latest log> ADPREP /DOMAINPREPPreparing Each Domain : ADPREP /DOMAINPREPPreparing Each Domain ADPREP /DOMAINPREP Adds new SDs in Domain NC and SYSVOL Changes from ADPREP /FORESTPREP must replicate in One time operation on infrastructure FSMO in each domain Requires domain administrator rights in target domain SYNTAX X:\i386\ADPREP /DOMAINPREP Where X is the fully qualified path to the 2003 media Verification “Command completed successfully” in ADPREP CN=Windows2003Update in Domain NC\SYSTEM… IB replication by all DCs in the domain \System32\Debug\Adprep\Logs\<Latest log> Install from Media PromotionsSourcing AD and GCs from a Local Backup : Install from Media PromotionsSourcing AD and GCs from a Local Backup Overview Create system state backup from existing 2003 DC Restore backup to a LOCAL drive on a 2003 member Run “DCPROMO /ADV” IFM rules DC being promoted must be on the network Only replica DCs are supported for IFM promotion Backup must be created from a 2003 DC in same domain Backup must have originated from GC to source that NC Move / copy rules for NTDS.DIT + log files Unattended IFM promotions supported Post Upgrade / Install OperationsVerifying the New DC : Post Upgrade / Install OperationsVerifying the New DC DC is healthy NETLOGON + SYSVOL shares exist DC responds to LDAP, RPC, and logon requests SRV, CNAME, and A records are registered in DNS FRS: Add canary file on local + direct replication partner Active Directory: REPADMIN /SHOWREPS Policy being applied as noted by Event 1704 Event log clean – may see event 1931 on 2000 upgrades Admin Tools : Admin Tools Windows 2003 AdminPak.msi installs on: Windows 2003 XP SP1 Some tools sign and encrypt LDAP traffic between client and domain controller: Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Schema Active Directory Users and Computers ADSI Edit Dsmove.exe Dsrm.exe Dsadd.exe Dsget.exe Dsmod.exe Dsquery.exe Group Policy Management Console Object Picker Admin Tools : Admin Tools LDAP Signing only available on Windows 2000 SP3 and higher Windows 2003 Admin Tools administering Windows 2000 SP2 DC: LDAP signing and encryption of these tools can be disabled – not recommended – KB 325465 Post Upgrade / Install OperationsMore Best Practices : Post Upgrade / Install OperationsMore Best Practices Backup Create a new system state backup – mark old backups FSMO roles Transition PDC and Domain Naming Master to 2003 DC Install GPMC Schedule backups of Group Policy Test new policy in test domains then import Deal with DLT Restart service or delete objects incrementally objects according to KB article 312403 Monitor To not monitor AD is to fail Post Upgrade / Install OperationsMore Best Practices : Post Upgrade / Install OperationsMore Best Practices Account Lockout Evaluate account lockout settings SP4 or 812499 (QFE ready; KB pending) on W2K DCs in the domain Install Resource Kit tools ACCTINFO and LOCKOUTSTATUS NTDS Quotas Set using DSadd Restrict number of objects that can be created in the directory ACCTINFO Property Page : ACCTINFO Property Page Additional Account Info tab in AD Users and Computers snap-in Domain Password Policy Users computer name used to change password on DC in AD same site Lockoutstatus.exe : Lockoutstatus.exe Runs as a stand-alone utility or extension to ACCTINFO. Shows bad password count and time across all DCs in domain. Functional LevelsGetting to the Good Stuff : Functional LevelsGetting to the Good Stuff Model to introduce new behavior into the operating system Advanced by admin when all DCs in “scope” are upgraded Analogy: Windows 2000 native mode (on steroids) Levels can only be increased – no rollback As you advance, earlier DC versions are ignored Clients are never impacted Available functional levels Windows 2003 Server domain functionality Windows 2003 Server interim forest functionality Not relevant in this scenario Windows 2003 Server forest functionality Domain Functional Levels : Domain Functional Levels Domain Functional Levels (2) : Domain Functional Levels (2) Forest Functional Levels : Forest Functional Levels Goals by Functional LevelRun, Don’t Walk! : Goals by Functional LevelRun, Don’t Walk! Forest functional level changes Link Value Replication for Large group membership 7MM users tested + more efficient deletion KCC scalability improved 3000 sites a reality KCC branch office mode Fault tolerance with a static KCC generated topology To be documented in 2003 Branch Office Guide Change from 5 minute to 15 second intrasite replication latency Why would you not go to FFL as fast as you could? Application compatibility should be the only reason Trips and TricksGood Things to Know : Trips and TricksGood Things to Know Initial Sync requirements FSMOs must sync hosting NC before they will function GC Sync requirements Must sync all NCs in the forest before advertising Faster to remove objects than Pre-SP3 2000 DCs Secedit /refereshpolicy replaced by GPUPDATE XP and 2003 is “the” management platform 2003 REPADMIN, GPMC, Resultant Policy, 2003 Admin Pack 2003 Admin Pack ADUC: RAS dial-in tab removed on XP Installs on XP and 2003 clients only Slide 35: © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.