(2005-11-24) Connecting The Test Environment To The Production – What Is Your Opinion?

As many of you already have done it, or are doing it right now, or better yet are still thinking about it! What? Well, migrating to Windows Server 2003 with AD.

 

When planning migration, on of the important is topics is thinking about the test environment to test the migration itself, but to also test current functionalities and especially current applications…

 

So when moving from an NT4 domain to Active Directory (based upon W2K3) you have two possibilities:

(1) Migrating from the NT4 domain to a newly fresh installed AD domain

With this you have the possibility to build a fresh installed AD domain, migrate everything you want to (groups, users, computers and resources) and leave all crap behind. It just looks like a fresh start.

PROs:

• Little to no impact on the current environment (much safer)
• Fallback migration scenario is much simpler
• Object migration is non-destructive
• No sudden introduction of new AD DCs into production environment
• Phased migration is possible
• Direct use of ALL new AD functionalities as no legacy DCs are used
• Ability to install and configure the new AD environment without even it already being used and without impacting current environment and better possibility to implement new wishes/requirements
• Better possibilities to test current available functionalities and applications

CONs:

• As migration contains more phases to accomplish, much slower
• Current NetBIOS name of NT4 domain cannot be reused. (unless the migration is performed twice using an Interim AD environment, or renaming it after the migration)
• Extra hardware needed for DCs
• Migration tooling needed migrate objects and re-ACL resources
• Objects must be migrated and resources must be re-ACL-ed

(2) In-place upgrading the NT4 domain to an AD domain

With this you have have the possibility to just either perform a software upgrade of all NT4 DCs to W2K3 DCs or only upgrade the PDC, introduce new W2K3 DCs and remove the old NT4 DCs

PROs:

• Ability to keep current NetBIOS name of NT4 domain
• Current domain configuration is used
• No extra or very little extra hardware needed
• Quick implementation/migration
• No tooling needed to migrate objects or re-ACL resources

CONs:

• When doing a software upgrade of DCs those DCs will be impacted and unavailable during a certain period (this is always true for the PDC)
• Eventual non-compatibilities (applications, services, drivers, etc.) on NT4 DCs must be solved by removing or upgrading to new versions prior to upgrading the OS.
• Fallback scenario’s are more difficult
• Limited use of new AD functionalities and only available after removal of all NT4 DCs
• Direct introduction of AD DCs prevents phased migration
• Implementation of AD without disrupting current environment is more difficult to realize
• More difficult to implement new configurations and to cleanup current crap
• Old default configurations may be kept instead of using new default configurations
• Less possibilities to test current available functionalities and applications

____

Building and using the test environment for scenario (2)…

Now, independent of the reason why you want to do an in-place upgrade of the current NT4 domain to an AD domain, to just test the migration you install a new BDC in the production domain and sync it with the PDC. You move that BDC into a test environment, and promote it to a PDC. For testing purposes you install an additional BDC in the test environment. To prepare for the domain upgrade you install 2 freshly installed W2K3 member servers, install and configure them with DNS/WINS/DHCP and configure them with "NT4Emulator" and "NeutralizeNT4Emulator" registry keys. After that reboot the servers!

So it’s time upgrade the NT4 PDC…but before doing so also configure it with the "NT4Emulator" and "NeutralizeNT4Emulator" registry keys and reboot the PDC.

After the PDC is up again the upgrade is started and after a while the first W2K3 DC has been introduced. That same W2K3 is also the first GC and hosts all FSMO roles. Followed by this is the promotion of the 2 W2K3 member servers to AD DCs. After the promotion these new DCs might be configured as GCs and the FSMO roles might be transferred to one of them.

As your environment may consist of legacy clients (you may need to update them first prior installing the first W2K3 DC with latest service packs and/or the DSClient) and W2K/WXP/W2K3 clients and server you may want to test authentication against NT4/W2K3 DCs, only W2K3 DCs and only NT4 DCs. If you are satisfied with the results you could remove the NT4 BDCs and the upgraded W2K3 DC. At this moment you are left with 2 W2K3 DCs and the Forest Functional Level is set to "Windows 2000" (choose if the domain will also contain W2K DCs) or "Windows Server 2003 Interim" (choose if the domain will only contain NT4 and W2K3 DCs). This choice is made during the upgrade of the NT4 PDC to a W2K3 DC. To stop the emulating stuff on the W2K3 DCs the "NT4Emulator" and "NeutralizeNT4Emulator" registry keys are removed and the DCs are rebooted. As soon as W2K/WXP/W2K3 clients and servers detect the W2K3 DCs not emulating anymore these clients and servers will upgrade their secure channel to use Kerberos for authentication instead of using NTLMv2.

So at this moment the migration has been tested and the results are satisfying. However, before doing this in production you just may want to test the (core) applications against an AD domain and additionally test the same applications against an AD domain in Forest Functional Level "Windows Server 2003". So how are you going to do this, if it is not possible to introduce those (core) applications on servers/systems into the test environment?

Now this is a wild and crazy scenario and I would love to know what you’re opinions are?

Discription of the wild and crazy scenario…

So at this moment you have 2 W2K3 DCs hosting a domain that is practically the same as in production (same name, sids, etc.)  These servers also host DNS and WINS. Only the two DCs, their names and IPs are different. As you use a server based computing (SBC) solution in your production environment, you install a WXP client and a SBC server in your test environment. On that SBC server you install the front end applications that must communicate with the (Core) back end applications. All servers and clients in the test environment are setup to use only the DNS/WINS servers in the test environment both DNS and WINS will only return the DCs in the test environment as authenticating DCs! (For DNS nothing needs to be done, but for WINS you need to delete the 1Ch record and rebuild it by issuing NBTSTAT -RR on the 2 DCs in the test environment)

DNS and WINS in the production environment and test environment are not connected in any way!

A firewall will be placed between the production environment and the test environment and the following rules:

• No traffic whatsoever is allowed initiated in the production environment to the test environment
• The WXP client and the 2 W2K3 DCs are not allowed to communicate with clients/servers in the production environment
• The SBC server is allowed to communicate with all servers in the production environment except for the NT4 DCs in the production environment

In this scenario the following is true:

• User accounts, passwords, computer accounts, groups and memberships are exactly the same in the production environment and in the test environment
• The systems and users in the test environment will use the DCs in the test environment
• The systems and users in the production environment will use the DCs in the production environment

 

To test the (core) applications, a user logs onto the WXP client, sets up a session to the SBC server and starts on of the front end apps and that app connects through the firewall to the core application server in the production environment.

 

As you may see theoretically everything seems OK and it also seems no issues should occur with this. I’m wondering:

• If such scenario will work?
• Has anyone done this before?
• What could go wrong? (assuming the firewall is well configured and the DCs in both environments cannot communicate with each other!)
• If something goes wrong, what are consequences and what is the impact?

 

I would be very interested in your opinion concerning this wild and crazy scenario, so feel free to post ANY comments!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————