Domain Migration Gets Some Help
Hands On
:
ENT and Client/Server Labs review domain management/migration tools
As the release of Microsoft Windows 2000 draws near, the promises being made for Active Directory make it clear that moving to a radically new environment will require more than simply dropping a CD into server. Help is available from what are collectively referred to as domain administration or directory management tools. These applications and suites are designed to front existing Windows NT 4.0 domains with a graphical presentation similar to what will be in Windows 2000 and Active Directory, as well as to help with a migration to Active Directory.
ENT and Client/Server Labs tested four of these packages to determine if each was likely to help or hinder the process of moving from NT 4.0 to Windows 2000. We worked with DM/Suite from FastLane Technologies Inc., Delegation Manager and Virtuosity from Aelita Software Group, DirectManage from Entevo Corp. and the OnePoint suite from Mission Critical Software Inc.
The Migration Paths
Moving from Windows NT 4.0 to Windows 2000 requires implementers to follow one of three paths. The first, an "in-place upgrade," installs Windows 2000 onto an existing NT 4.0 domain with existing users and resources staying as is. Equivalent to what most administrators did when moving from NT 3.51 to NT 4.0, the in-place upgrade is simple, but it preserves whatever structural horrors have grown within the existing network.
At the other extreme, an administrator could choose to create a new domain structure using Windows 2000, ignoring what was done before. While this may have the appeal of building a new house, the complexity of most existing networks makes this option impractical for many users.
The intermediate option, more suitable for complex networks, is a phased migration. Installing a new Windows 2000 domain into the network, users and resources are moved to the new structure over a period of time. The phasing period could be short or long, depending on the logical complexity of the network, the speed of the systems and the availability of administrative and support personnel.
The Role of the Tools
The tools we tested can provide several types of help to administrators preparing to move to Windows 2000. First and foremost is visibility into the current domain structure of the network through reporting functions or menu driven interfaces. This information is key to planning the strategy for what items to move, where to move them and how.
The tools also allow administrators to create a logical view that is similar to their desired future structure, but built atop the current NT 4.0 network. This, however, leaves the problem of delegation of authority -- which NT 4.0 does not handle well -- to be solved by a third party tool.
Finally, the tools may allow the administrator to directly move users and resources among the domains where they now exist. This can be used to rearrange the current structures to make an in-place upgrade feasible or to move items during a phased migration.
A Messy Domain
For our sample configuration we set out to create an environment that was messy, though predictable enough that we could understand what may take place. We began with three systems in an isolated network. Two IBM Netfinity 5500 servers were configured with Windows NT 4.0 Server. Each was made the PDC of a separate NT domain with a two-way trust relationship established between them. One server had Service Pack 3 installed, and the other, which also ran Exchange Server Enterprise Edition 5.5, was taken up to Service Pack 4. A Hewlett-Packard Kayak system was set up using NT 4.0 Workstation and Service Pack 3.
We created about 100 user accounts in each domain, with 10 accounts duplicated across the domains. The workstation was made a member of the domain controlled by the Exchange server, and all users in both domains were given Exchange mailboxes. All three systems were backed up to local hard drives using Norton Ghost 5.01d to allow the same starting configuration for each product we tested.
FastLane DM/Suite
FastLane Technologies’ DM/Suite includes three directory management tools. DM/Administrator delegates administrative rights to departmental or group administrators. DM/Reporter produces analytical reports of the existing domain structures. DM/Manager moves users and resources among domains. The suite includes a fourth product, DM/Developer, that enables an administrator to create administrative scripts. The fourth product was not tested.
The DM/Suite includes four well-organized manuals, though it was unclear which components should be installed in which order. The biggest installation hurdle we faced was that DM/Administrator wasn’t on the boxed production CD we received. With help from FastLane, we downloaded a copy from an FTP site.
Our first task centered around the DM/Reporter tool, which uses Crystal Reports version 7 to examine existing domains. A clear hierarchical display allows users to pick an element -- a group, server, user or resource -- and retrieve detailed or summary information.
The DM/Administrator required that we establish a two-way trust between the domains in our sample network. Using the menus to create and populate a "virtual domain" proved simple. We added users and resources from each of the "real" domains, creating a model of the structure we wanted in our new network.
Next we migrated some users and resources among the domains with DM/Manager. As with the other portions of the suite, point-and-click menus allowed us to make all of the relevant selections of the items to be moved. The product uses the concept of a "project", through which the administrator defines which users and resources to move, as well as rules for how to handle such things as name conflicts for users and groups.
Having defined our project, we started the migration and waited for it to complete. At this point, an unintended test occurred: a power failure shut the test server down midmigration. Despite the unexpected event we were able to restart and resume the migration with no discernable error.
Our next step was to simulate a simple but significant blunder. We installed Windows 2000 onto the server where we had been manipulating users and resources, purposely "forgetting" that we had been working with a virtual domain rather than a real domain. This resulted in the migration of the users and resources from that domain only.
Aelita Enterprise Suite
The documentation from Aelita Software was sparse. There was no printed manual, with the only instructions on a printed sheet included with the license key diskette telling where to copy and use the key file. The three components of the Aelita suite that we tested -- Delegation Manager, Virtuosity and the Domain Migration Wizard -- installed easily when we followed the provided instructions and applied the key file.
Delegation Manager is the tool used to grant subordinate administrative privileges to group and departmental personnel. The product presents a hierarchical display of information, with tools for selecting users and resource objects and then reassigning them to other domains.
Aelita’s combined reporting and migration tool, Virtuosity, includes wizards for gathering report data and building migration scripts to move users and resources among the managed domains. We found the data-gathering wizard to be well-organized, with only one complaint. The wizard makes a distinction between gathering "standard" data and "advanced" data: it suggests standard data and warns that advanced data may take a long time to gather. The distinction between the two sets of data, however, was not made clear.
The Domain Migration Wizard proved problematic. After carefully going through step one -- in which we set up the lists of users and resources we wanted to move between our domains -- the wizard would not proceed to the second stage. With every attempt we made, it reported that some information had not been gathered from "one or more domains" and suggested that we might not have administrative privileges in one of the relevant domains.
We repeated the information gathering process several times, selecting various combinations of data and checking the products log files for errors. Every indication was that the data gathering was successful in each case. We also verified that the domains had proper two-way trust relationships and that the account we used had explicit administrative rights in all domains. Despite these efforts, we could not convince the migration wizard to proceed to the second step of its process, nor did we see anything to indicate what data was missing or from what domain.
After testing some of the other products, we retested the Aelita suite. The product worked on this second attempt. The only thing that may have been different was the assignment of passwords, which might have been set as null entries during the first test. If that was the problem, an explicit indicator would have been helpful.
The remaining steps of the migration process went fairly smooth. We did have some difficulty defining rules for resolving name collisions, and we found the screen for establishing rules unclear, with no on-screen help available. Also, we were asked twice to identify the systems where domains were migrated from and to.
The migration itself went smoothly and swiftly. The analytical reports were clear and useful, although once we told the wizard that we were finished with our migration, we were not able to find a path back to the migration reports -- a serious omission.
Entevo DirectManage
Entevo Corp.’s DirectManage suite has several unique installation and operation features. This tool was the only product we tested that demanded to be installed into an NTFS partition. Our test server had been set up with a FAT partition as primary, so we had to install a different partition than the other products. This led us to wonder what opportunities for security breaches and other abuse. The other products might present.
We did encounter a peculiar installation error after we were into the testing process. The DirectAdmin installation creates an administrative service and allows the installer to select the name for the resulting DirectAdmin "server." The installation warns that the name cannot be changed without reinstalling the product, but it does not appear to check for a properly formed name. We installed the service using the name Client/Server Labs, only to discover later that the name was used in forming various commands. The presence of the slash character prevented those commands from working.
On the plus side, DirectManage had the best account migration wizard of all of the products tested. Using a project concept similar to FastLane’s DM/Suite, Entevo walks administrators through the project creation process with clear explanations at each stage. The only oddity we encountered was that our trial migration claimed to have processed 128 objects -- users and shares, for example -- out of the 112 we had selected. The HTML-formatted report, however, reflected only the 112 objects we had expected.
Mission Critical OnePoint Domain Administrator and Directory and Resource Administrator
Recently renamed using the OnePoint moniker from its previous Enterprise Administrator name, the Mission Critical’s OnePoint Domain Administrator tool was the only product in our test list that is a plug-in to the Microsoft Management Console (MMC). The administration and delegation tool was also the only product to provide a Web interface. This may be related to the announcement in June that Microsoft licensed the Domain Migrator component of OnePoint Domain Administrator for delivery with Windows 2000.
The terminology used with the product is unique. The delegation of authority revolves around Old West themes, such as territories, marshals and deputies, which our testers found confusing. Nevertheless, we found the tools themselves fairly easy to work with.
The Directory and Resource Administrator tool does not make use of the MMC interface. It presents ordinary looking windows with multiple tabs. From those windows you can choose to work with users, groups, territories, deputies and marshals. We were able to quickly assemble users and resources from both our domains into a new grouping using our desired structure.
One surprise was the fact that our real NT Administrator account was not considered to be a marshal or deputy without being explicitly defined as such.
Our first attempt to use the Domain Migrator tool in Domain Administrator failed. The tool presents a well-choreographed set of steps for migrating users and resources, but the first time we tried we were refused access to our secondary domain, even though we verified trust rights, access privileges and passwords. One of the testers realized we had changed the Administrator password on the secondary server without logging off or rebooting. Logging out of both servers and restarting cleared the problem. The process wizard then walked us through the phases of a migration, including selecting users and resources, defining collision rules, analyzing possible problems to moving the objects and reporting the results of the move.
Overall
Choosing the migration support tool for your organization will depend on several factors. Our testers liked the integration of Mission Critical’s OnePoint suite, while finding its gun-slinging terminology a shortcoming. FastLane’s DM/Suite and Entevo’s Direct Manage seemed to strike a good balance of user guidance and reliable operation. The Aelita product seemed to complete a migration more rapidly than others, but the product would benefit from better help screens and error messages.[TOC Deck: Four tools to help domain migration to Windows 2000]
Products Tested
Aelita Enterprise Suite
Aelita Software Group
Powell, Ohio
www.aelita.net
DirectManage Suite
Entevo Corp.
Arlington, Va.,
www.entevo.com
FastLane DM/Suite
FastLane Technologies Inc.
Halifax, Nova Scotia, Canada
www.fastlanetech.com
OnePoint Domain Administrator/Directory and Resource Administrator
Mission Critical Software Inc.
Houston, Texas
www.missioncritical.com