That's what I said before....theoretically everything seems OK, but my first feeling for this is: don't do it... but again it is a wild crazy idea... The main issue here is: you need to test the core apps in the prod. env. with w2k3 ad... as it is not possible to place a model of the core apps in the test env... this could be one of those wild ideas. what do you mean with "I also think there's some soft spots in the description of what the upgrade looks like. It just looks to me like it was glossed over a bit by somebody who's done an upgrade a few times" Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 11/25/2005 5:06 AM To: [email protected] Subject: RE: [ActiveDir] Connecting the test environment to the production - what is your opinion? Jorge, I saw your definition of a SBC server, but what is that really? Can you expand that? Otherwise, As you may see theoretically everything seems OK and it also seems no issues should occur with this. I'm wondering: * If such scenario will work? * Has anyone done this before? * What could go wrong? (assuming the firewall is well configured and the DCs in both environments cannot communicate with each other!) * If something goes wrong, what are consequences and what is the impact? Will it work? Likely but that depends on the app. Old-style NT4 apps would work in this scenario (NTLM auth). That doesn't make it right. Can something go wrong? YEP! I see a big problem letting the test application servers talk to the production data servers. This is absolutely a bad idea IMHO. A better solution would be to not allow anything in the test environment talk to the production environment and nothing in the production to talk to the test. Completely isolated, physically if possible. That prevents the inevetible, "..but I thought that couldn't happen but I gee, I guess we'll have to rebuild the entire network and databases now." conversation. I also think there's some soft spots in the description of what the upgrade looks like. It just looks to me like it was glossed over a bit by somebody who's done an upgrade a few times. My thoughts anyway, -ajm >From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> >Reply-To: [email protected] >To: <[email protected]> >Subject: [ActiveDir] Connecting the test environment to the production - >what is your opinion? >Date: Fri, 25 Nov 2005 01:23:47 +0100 > >Hi All, > >I would be interested in your feedback concerning the story below. The full >story is also available on my blog >(http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx). >Any feedback on it would be a appreciated! >If you have question feel free to ask! >Thanks in advance! >Cheers, >Jorge > >############################################## > >Now, independent of the reason why you want to do an in-place upgrade of >the current NT4 domain to an AD domain, to just test the migration you >install a new BDC in the production domain and sync it with the PDC. You >move that BDC into a test environment, and promote it to a PDC. For testing >purposes you install an additional BDC in the test environment. To prepare >for the domain upgrade you install 2 freshly installed W2K3 member servers, >install and configure them with DNS/WINS/DHCP and configure them with >"NT4Emulator" and "NeutralizeNT4Emulator" registry keys. After that reboot >the servers! > >So it's time upgrade the NT4 PDC...but before doing so also configure it >with the "NT4Emulator" and "NeutralizeNT4Emulator" registry keys and reboot >the PDC. > >After the PDC is up again the upgrade is started and after a while the >first W2K3 DC has been introduced. That same W2K3 is also the first GC and >hosts all FSMO roles. Followed by this is the promotion of the 2 W2K3 >member servers to AD DCs. After the promotion these new DCs might be >configured as GCs and the FSMo roles might be transfered to one of them. > >As your environment may consist of legacy clients (you may need to update >them first prior installing the first W2K3 DC with latest service packs >and/or the DSClient) and W2K/WXP/W2K3 clients and server you may want to >test authentication against NT4/W2K3 DCs, only W2K3 DCs and only NT4 DCs. >If you are satisfied with the results you could remove the NT4 BDCs and the >upgraded W2K3 DC. At this moment you are left with 2 W2K3 DCs and the >Forest Functional Level is set to "Windows 2000" (choose if the domain will >also contain W2K DCs) or "Windows Server 2003 Interim" (choose if the >domain will only contain NT4 and W2K3 DCs). This choice is made during the >upgrade of the NT4 PDC to a W2K3 DC. To stop the emulating stuff on the >W2K3 DCs the "NT4Emulator" and "NeutralizeNT4Emulator" registry keys are >removed and the DCs are rebooted. As soon as W2K/WXP/W2K3 clients and >servers detect the W2K3 DCs not emulating anymore these clients and servers >will upgrade their secure channel to use Kerberos for authentication >instead of using NTLMv2. > >So at this moment the migration has been tested and the results are >satisfying. However, before doing this in production you just may want to >test the (core) applications against an AD domain and additionally test the >same applications against an AD domain in Forest Functional Level "Windows >Server 2003". So how are you going to do this, if it is not possible to >introduce those (core) applications on servers/systems into the test >environment? > >Now this is a wild and crazy scenario and I would love to know what you're >opinions are? > >Discription of the wild and crazy scenario... > >So at this moment you have 2 W2K3 DCs hosting a domain that is practically >the same as in production (same name, sids, etc.) These servers also host >DNS and WINS. Only the two DCs, their names and IPs are different. As you >use a server based computing (SBC) solution in your production environment, >you install a WXP client and a SBC server in your test environment. On that >SBC server you install the front end applications that must communicate >with the (Core) back end applications. All servers and clients in the test >environment are setup to use only the DNS/WINS servers in the test >environment both DNS and WINS will only return the DCs in the test >environment as authenticating DCs! (For DNS nothing needs to be done, but >for WINS you need to delete the 1Ch record and rebuild it by issuing >NBTSTAT -RR on the 2 DCs in the test environment) > >DNS and WINS in the production environment and test environment are not >connected in any way! > >A firewall will be placed between the production environment and the test >enviroment and the following rules: > >* No traffic whatsoever is allowed initiated in the production environment >to the test environment >* The WXP client and the 2 W2K3 DCs are not allowed to communicate with >clients/servers in the production environment >* The SBC server is allowed to communicate with all servers in the >production environment except for the NT4 DCs in the production environment > >In this scenario the following is true: > >* User accounts, passwords, computer accounts, groups and memberships are >exactly the same in the production environment and in the test environment >* The systems and users in the test environment will use the DCs in the >test environment >* The systems and users in the production environment will use the DCs in >the production environment > > > >To test the (core) applications, a user logs onto the WXP client, sets up a >session to the SBC server and starts on of the front end apps and that app >connects through the firewall to the core application server in the >production environment. > > > >As you may see theoretically everything seems OK and it also seems no >issues should occur with this. I'm wondering: > >* If such scenario will work? >* Has anyone done this before? >* What could go wrong? (assuming the firewall is well configured and the >DCs in both environments cannot communicate with each other!) >* If something goes wrong, what are consequences and what is the impact? > > > >I would be very interested in your opinon concering this wild and crazy >scenario, so feel free to post ANY comments! > > > >This e-mail and any attachment is for authorised use by the intended >recipient(s) only. It may contain proprietary material, confidential >information and/or be subject to legal privilege. It should not be copied, >disclosed to, retained or used by, any other party. If you are not an >intended recipient then please promptly delete this e-mail and any >attachment and all copies and inform the sender. Thank you. >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
