S 4.317 Secure migration of Windows directory services

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

For reasons of improved functionality, increased security, greater compatibility, and better manufacturer support, it is recommended to migrate any existing Windows NT 4.0 Server structures to Windows 2000 Server or Windows Server 2003 (referred to collectively in the following as Windows Server). The features and security functions in Windows 2000 Server have improved significantly in comparison to Windows NT 4.0 Server. For this reason, consideration should be given to migration. For this, the following must be clarified in advance during the planning phase:

• which servers/services can be consolidated,
• whether the (target) hardware used provides adequate performance and meets the higher system requirements,
• whether the services needed in the network are compatible with the newer software (in terms of protocols, rights, etc.).

The functionality already available in Windows 2000 Server, e.g. DNS and Active Directory, is extended correspondingly after migration to Windows Server 2003. In general, the migration should be performed in a test environment first in order to guarantee the best possible migration of the productive system based on the results of the tests.

Use of DNS

It must be noted that name resolution in the network is executed using DNS due to the introduction of the Active Directory functionality and that the WINS service (Windows Internet Name Service) used in Windows NT 4.0 has therefore been replaced by the NetBIOS function. This means the DNS service must be available for the migrated network. More detailed information in this regard can be found in the manufacturers article Deploying Domain Name System in the Microsoft TechNet area (http://technet.microsoft.com).

Group policies

In comparison to the system policies used in Windows NT 4.0, the system policies in Windows Server provide an extension that enables more extensive administration of the objects in the Active Directory structure using group policies. For this reason, the administrative templates used in Windows NT 4.0, which are still needed after migration, must be added to the group policy concept accordingly and also adapted accordingly under some circumstances.

Migration restrictions

During the migration of the primary domain controller (PDC), the PDC will not be available and so login attempts and accesses to resources on the clients run on the backup domain controller (BDC). It is impossible to make domain-specific changes such as password changes or the creation of new user accounts during the migration. After the migration of the PDC is complete, the Windows 2000/XP clients existing in the network will only be able to log in to the existing Windows Server domain controllers, and so it is recommended to promptly migrate the remaining Windows NT 4.0 domain controllers. Furthermore, as soon as the corresponding downward compatibility is no longer required in the network, for example for remote access services (RAS), the so-called pre-Windows-2000-compatibility should be disabled due to the greater functionality provided and in order to prevent domain information from being read anonymously .

Upgrade test

In the course of the installation process, the Active Directory is set up and the objects in the Windows NT Security Account Manager Database (SAM database) are moved to the Active Directory database. After installation, the success of the upgrade process should be tested and evaluated before switching off the existing Windows NT 4.0 structure. A detailed list of the components to be tested in terms of the correct implementation of the configuration and correct operation can be found in the Resources for IT-Grundschutz (see Testing the Migrated Directory Service Database in Resources for the Active Directory).

After successful completion of the migration of the PDC and detailed functional tests, the remaining Windows NT 4.0 domain controllers must be migrated as well. In this case, it is also necessary to check in advance whether these meet the system requirements. Based on the preliminary planning, it is then necessary to specify the server roles such as member servers or additional domain controllers that must also be subjected to thorough testing after configuration.

Updating the server environment

In order to be able to use the extended range of functions, especially those in the area of Active Directory administration on Windows Server, the server environment must be updated as the last step. However, it must be noted that versions older than the current system version will not be supported any more after a system update.

Review questions:

• Is the migration of the Windows directory service planned?
• Is the migration of the Windows directory service tested in a test environment initially?
• Was the server environment also updated after migration?
• Are tests conducted after migration to ensure all data and settings were copied and function properly?