Active Directory Forest Merger Discussion DocumentImpact of Active Directory Merger with a parentWord格式.docx

Active Directory Forest Merger Discussion DocumentImpact of Active Directory Merger with a parentWord格式.docx

《Active Directory Forest Merger Discussion DocumentImpact of Active Directory Merger with a parentWord格式.docx》由会员分享，可在线阅读，更多相关《Active Directory Forest Merger Discussion DocumentImpact of Active Directory Merger with a parentWord格式.docx（40页珍藏版）》请在冰豆网上搜索。

MicrosoftisaregisteredtrademarkofMicrosoftintheUnitedStatesand/orothercountries.

FictitiousDisclaimer:

Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,places,oreventsistendedorshouldbeinferred.

TableofContents

1Introduction1

1.1Purpose1

1.2Audience1

1.3Background1

2ExistingEnvironment2

2.1CONTOSOCorporateActiveDirectoryDesignSummary2

2.1.1DNS2

2.1.2DHCP2

2.1.3WINS3

2.1.4SchemaChangesImplemented3

2.1.5ActiveDirectoryintegratedApplications3

2.1.6Trustrelationshipswith<

3

2.2ProcessControlActiveDirectoryDesignSummary4

2.3<

ActiveDirectoryDesignSummary4

3Impactofjoiningthe<

SharedForest6

3.1TrustingtheServiceAdministrators6

3.2DisasterRecovery7

3.3DelegationofAdministrativeControl8

3.4GroupPolicyManagement8

3.5ImpactonNameResolution9

3.6ImpactonSecurityGroups9

3.7MigrationofcurrentActiveDirectoryServices9

3.7.1UpgradingtoWindowsServer2003priortoMigration9

3.7.2ActiveDirectoryMigrationOverview10

3.7.3ActiveDirectoryMigration-ApplicationImpact11

3.8ImpactontheexistingProcessControlActiveDirectoryForest12

4MigrationofCONTOSOActiveDirectoryintothe<

ActiveDirectoryForest14

4.1Pre-requisitesforForestMigration14

4.2PlanningtoRestructureActiveDirectoryDomainsBetweenForests14

4.2.1DeterminingYourAccountMigrationProcess14

4.2.2DevelopingaTestPlan15

4.2.3CreatingaRollbackPlan16

4.2.4EstablishingAdministrativeProcedures16

4.2.5CreatinganEnd-UserCommunicationPlan17

4.3Preparethesourceandtargetdomains17

4.3.1MigrateGroupPolicyObjectstothenewDomain17

4.4InstallActiveDirectoryMigrationTool（ADMT）17

4.4.1RetainingPasswordsfortheCONTOSOMigration18

4.5Identifyandmigrateserviceaccounts18

4.6MigrateGroups18

4.6.1Pre-requisiteWork18

4.6.2GlobalGroupMigration18

4.6.3DomainLocalGroupMigration18

4.7Migrateusersinbatchesincludingprofiles19

4.8MigrateworkstationsandMemberServers19

4.9TranslateSecurityonMemberServersandWorkstations19

5MigrationofCONTOSOapplicationsintothe<

PARENTCOMPANY>

ActiveDirectoryForest20

5.1SAP20

5.2HPOpenview-ServiceDeskModule21

5.3MailSweeper/WebSweeper21

5.4Certificates21

5.5ActiveDirectoryAdministrationScripts22

5.6ServerClusters22

5.7SQLServers22

5.8DomainControllerApplicationMigration23

6MigrationofCONTOSOExchangeOrganizationintothe<

ActiveDirectory24

6.1ExistingEnvironment24

6.2Co-existencePlanning24

6.3MigrationPlanning25

6.3.1Pre-requisites25

6.3.2ClusterMailboxMigration26

6.3.3ExchangeMigrationWizard27

6.3.4Outlook28

6.3.5Post-MigrationTasks28

6.4UseofOutlook200329

6.5UpgradeCONTOSO'

sExchange2000toExchange200331

7ImpactofaMultipleForestEnvironment32

7.1MultiforestFeatureImplementationandCostSummary33

8RiskAnalysisforContosoForestMerger34

Introduction

Purpose

CONTOSOisownedbyajointventurearrangementthatincludes<

.Earlynextcalendaryear（2005）theyplantomigratetheirActiveDirectoryforestandconsequentlytheirExchangeenvironmentintothe<

forest.

CONTOSOrequiresassistanceinpreparingandplanningfortheirmigrationintothe<

ActiveDirectoryandpotentiallytheirExchangeorganisation.

MicrosoftServiceswasaskedtoassistwiththefollowing:

¾

ThepreparationandplanningofthemigrationoftheCONTOSOActiveDirectoryintothe<

ActiveDirectoryforest.

TheoptimumExchangeenvironmentforCONTOSOgiventheirmigrationintothe<

ThepossibleincorporationofCONTOSO'

sExchangeimplementationinto<

'

sExchangeorganisation.

TheupgradeofCONTOSO'

sexistingversionofExchangetoExchange2003.

TheobjectiveofthisdocumentistoproduceadiscussionoftheimpactonCONTOSOofActiveDirectoryMergerwith<

.Sincetheareasofimpactincludenon-MicrosoftsoftwaresuchasSAP,acompletemigrationplancannotbedocumented.However,migrationplanninginformationisincludedfortheMicrosoftcomponents（Exchange,ActiveDirectoryUsers,Workstationsetc.）andasummaryofareasrequiringfurtherconsiderationarealsodocumented.

Audience

TheprimaryaudienceofthisdocumentistheOperationsGroupsattheCONTOSORefinery.ThedocumentassumesthatreaderswillhaveabasicknowledgeoftheMicrosoftWindowsplatformproductsandabasicunderstandingofActiveDirectoryinanenterprise.SignificantportionsofthisdocumentconsistoftechnicalsectionswhichwillneedagraspofActiveDirectoryandassociatedtechnologiessuchasDNS,TCP/IP,etc.

Background

CONTOSOisajointventurecompanybetween<

<

ParentCompany2>

and<

ParentCompany3>

.<

arethemajorityownerofCONTOSOandown86percentofit.CONTOSOactsasmanageroftheprojectforthejointventureowners.EachownerisresponsibleforitsshareofthecostsincurredbyCONTOSOinoperatingthefacilities.

<

hasbeenintheprocessofdesigningandimplementinganActiveDirectorystructuretomeettheneedsofassetsownedormanagedby<

.Since<

ownsasignificantmajorityshareofCONTOSO,theexpectationisthatCONTOSOwillparticipateinthe<

ExistingEnvironment

CONTOSOCorporateActiveDirectoryDesignSummary

ThecurrentCONTOSOActiveDirectoryforestisasingleforest,singledomaindesignnamed.au（CONTOSO）.Thereare3domaincontrollersthatareallrunningWindows2000SP4.ThedomainisinWindows2000nativemodeandthereissinglesitedefinednamedREFINERY.

TheCONTOSOforestiscurrentlymanagedbytheCONTOSOOperationsGroup.AlladministratorsarelocatedattheCONTOSOrefinery.

DNS

CONTOSOcurrentlyusesWindows2000ServerbasedDNSservicesintegratedwithActiveDirectorytoservicethe.auActiveDirectoryforest.TheDNSservershandleallinternalnamespaces.AllclientsusetheinternalDNSserversastheprimaryandsecondaryDNSforinternalandexternalnameresolution.AthirdDNSServerhasbeenestablishedontheCONTOSOFilterserverasabackupincasetheprimary/secondaryDNSserversareunavailable.

ExternalnameresolutionisachievedthroughtheforwardingofallexternalDNSqueriestoexternalDNSservers.Conditionalforwardinghasbeenconfiguredforthe<

domainsandthecontosopcn.localDomain.AllotherexternalDNSqueriesareforwardedtotheISP’sDNSServer.

DHCP

CONTOSOcurrentlyrunsaDHCPServerattheCONTOSOsitethatislocatedonthedomaincontrollerCONTOSOSentry.

TheDHCPentriesalsodefinedaProxyAutodiscoveryentrywhichhasaspecificpointertoafilelocatedon\\CONTOSO.au.

WINS

TheprimaryWINSServerfortheCONTOSOdomainislocatedinthedomaincontrollerCONTOSOSentry.ThisreplicatesitsWINSdatabasetoCONTOSODC02（DomainController）andCONTOSOWINS.

TheEXCH01（DomainController）ServerreplicatesitsWINSdatabasefromtheexisting<

NetworkandislistedasatertiaryWINSServerforclientstoresolve<

servernames.

SchemaChangesImplemented

Schemaadditionshavebeendeployedtosupport:

Exchange2003

ActiveDirectory2003

SAPR/3

Notethatitthisiscurrentlynotbeingusedbyproductionapplications.

SAPPortal

Thenewportalenvironmentdoesnotappeartoneedtheseschemaextensions,howeverthenewportalenvironmenthasnotyetbeencommissionedandthesemaythereforemayberequired.

HPProLiantLights-Outprocessors

Notethattheseschemaextensionsarenotcurrentlynotbeingused.

ActiveDirectoryintegratedApplications

ThefollowingapplicationshavebeenidentifiedashavinglinksintotheexistingCONTOSOActiveDirectory.

WindowsServer2003CertificateServices

Exchange

SAP

HPOpenview-ServiceDeskModule

MailSweeper

WebSweeper

ActiveDirectoryAdministrationScripts

Important

Thisisnotanexhaustivelistofapplications,andfurtherworkwillberequiredtoidentifyanyadditionalapplicationsthatmaybeaffectedbythedomainmigration.

Trustrelationshipswith<

Therearetwo-waytrustrelationshipsinplacewiththe3regionaldomainsofthe<

forest-A,AandE.

Therearealsoanumberoftwo-waytrustrelationshipswith<

WindowsNT