Monday, March 31, 2008

Security Audits

Late 2005 I was working for a consulting company in the Milwaukee area. In an attempt to continue to move from a break-fix environment to a more proactive, managed IT approach, I was asked to develop a security audit methodology, which we would use in conjunction with our "taste-test" approach to new customers.

A taste-test was really nothing more than an engineer and a salesman showing a potential client how smart we were, how messed up their environment was, and how we could help them. We decided to use the Security Audit as another layer to enhance what we had to offer.

Here is an outline of the methodology I used, which was borrowed in large part from the SANS institute, along with a sample statement of work that was presented to my now employer.

Read this doc on Scribd: Security Audit Methodology
Security Audits A security audit will use best practice methods to discover, assess, test, and finally, suggest modifications to existing security infrastructure. Guiding Principles The Principle of Least Privilege involves giving a person or a process the minimal authority necessary to accomplish the job or task. Its objective is to control information flow by protecting against information leakage. Data classification determines the level of security controls needed to protect data. Data can be classified as confidential, private, public, or unclassified. Confidential data requires more security controls than data classified as private. The Separation of Duties principle is achieved by dividing a task and authority for a specific business process among multiple users. The primary objective is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring funds online, the password needed to access the online account would be partially entered by two people to complete it. Confidentiality is the principle of non-disclosure of information to unauthorized users, entities, or processes. Integrity is the prevention of modification or destruction of an asset by an unauthorized user or entity; often used synonymously with data integrity, which asserts that data has not been exposed to malicious or accidental alteration or destruction. Availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. Identification is the means in which users claim their identities to a system. Most commonly used for accesscontrol, identification is necessary for authentication and authorization. Defense in Depth is a concept used to describe layers of defense strategies. The components at each layer work in tandem to provide one cohesive security mechanism. Risk Analysis Approach The formula for calculating risk is: risk = threats x vulnerability x value of assets. It is always important to assign numerical values or use a convention like high, medium, and low to reach conclusions. See Kepner Tregoe and NIST’s Risk Management Guide for IT Systems. Stage 1 Conducting the Assessment • Identify and interview key personnel for information gathering: See Assessment Questions. • Identify all critical and non-critical security components ( firewall, IDS, proxy, apps, DB, etc) • Use Appendix A as a template for security assessments of all identified security components. Security assessments should include a Business Impact Analysis (BIA) that will be used to determine the appropriate controls (technical and administrative) described in the policy. o Identify all threats, vulnerabilities and security issues in each component. • Discover and map network to identify any infrastructure issues. o LanMapshot, Visio • Scan network using vulnerability remediation utilities. o GFI LanGuard, Nessus on LAN o Lophtcrack for weak password analysis o Ae2, wwwhack, brutus for WWW access o Thc-pptp-bruter for PPTP Gateways o MS Best Practice Analyzer for Exchange o MS Baseline Security Analyzer for Servers Stage 2 Formulation of Target Security Architecture Design Target designs are based on results and recommendations as determined in the assessment. 1. A logical architecture of IT security components is needed to organize the physical architecture and implement security in all identified architectures. The logical structure includes processes, technology and people. It consists of perimeter security, a computer incident response team, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure security. 2. Physical architecture designs include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demilitarized Zone (DMZ), internal and external connections and devices used, and diagrams of other architectures in relation to security architecture. Especially helpful are diagrams with IP addressing schemes identified. Stage 3 Construct Policies and Procedures According to Merriam-Webster’s Online Dictionary, a policy is: 1. A management or procedure based primarily on material interest 2. A definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions and a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body. Companies develop policies and procedures to guide their employees and external companies on how to behave. While creating polices, one needs to achieve a delicate balance between security and the ability to conduct business. Security should never be seen as an impediment but an enabler as one provides solutions and alternatives. Policies are general in nature and should be distinguished from standards. A policy might read, “All communications must be protected from eavesdropping.” The standard will show how this is to be accomplished and what technologies need to be deployed to achieve the policy. It is very important for policies and standards to have the support of the executive team. It is equally important for people to understand the policy and its objectives so that it gets the support it needs to achieve compliance. Auditors can use these policies as references when conducting audits as auditing complements all the endeavors of security to achieve compliance by measuring against these policies to uncover any deviation from policy. Findings that are discovered by audit would be deviations from policy and best practices. It is important to note that in reality many system or device-related policies will end up being translated as configurations on these systems and devices to implement policy. As such, parallel development of polices and architecture is necessary. For example, a policy can say “no surfing of illegal sites.” As the Internet server is being built, we have to configure the server to block all illegal sites known. As such, policies are translated to server configurations. Once all policies and standards have been developed, the next Stage can begin or the next Stage can be done in parallel. Stage 4 Implement Target Security Architecture Design Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes should have a plan that defines timelines, funding, and resources needed to implement these changes. Stage 5 Integration of Security Practices to Maintain Secure Status Security is a mindset and a process. In order to maintain a secure environment, one needs to define the role of IT security staff in evaluating all changes to the architecture, systems design, and network structure to maintain secure status in day-to-day operations. In order to achieve this goal, security has to be integrated into two main processes: 1. Change management process: Any changes to networks and other infrastructure components must go through this process. 2. Project management methodology and guidelines guide the various technology projects in the organization. Security should be integrated into these guidelines at all stages deemed necessary by these guidelines. For example, security can be integrated in Joint Application Development sessions (JAD), business requirement definitions stages, and implementation and development stages of project management methodology. Getting involved in new projects allows the security architect to integrate security controls that implement policy. It also allows the security architect to anticipate and develop new policies and standards.

Read this doc on Scribd: SOW Security
Friday, October 07, 2005 David Demarais Integrated Billing 7071 South 13th Street Suite 104 Oak Creek, WI 53154 Dear David, The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel this solution will meet the needs of Integrated Billing network and data security requirements. Overview This proposal outlines the scope of work necessary to implement the network security audit at Integrated Billing. The suggested stages will ensure a proper audit, and recommend steps toward securing your environment. Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, total calendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project full time. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of factors. A firm with a couple of hundred people in a single office with the "normal" array of computer applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth security audit. If you have never had a security audit, costs may be higher. In addition, the first time audit is likely to disclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potential security issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might possibly be reduced. Scope of Services Stage 1 Conduct Security Assessment 1. Identification of key personnel to be interviewed for information gathering. 2. Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS, proxy, applications, databases, etc.) 3. Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls (technical and administrative) to develop the policies. 4. Identification of all threats, vulnerabilities and security issues in each component. Stage 2 Formulation of Target Security Architecture Designs 1. Conduct logical architecture design of IT security components to organize the physical architecture and implement security in all identified architectures. The logical structure includes processes, technology and people. It consists of perimeter security, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure security. 2. Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections and devices used, and diagrams of other architectures in relation to security architecture. Stage 3 Construction of Policies and Procedures Develop policies and procedures to guide employees on acceptable use. When creating these polices, client will be consulted to achieve a delicate balance between security and the ability to conduct business. Stage 4 Implementation of Target Security Architecture Design Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes will have a plan that defines timelines, budgets, and resources needed to implement these changes. Stage 5 Integration of Security Practices to Maintain Secure Status 1. Change management process: Any changes to networks and other infrastructure components must go through this process. 2. Project management methodology and guidelines will serve to guide various technology projects in the organization. Security should be integrated into these guidelines at all stages necessary by these guidelines. I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer and networking needs. This solution has been prepared by your personal engineer, John Croson, and reviewed by the technical services team. John can be reached at XXX-XXX-XXX x XXX, or by email at, jcroson@MyCompany.com Please contact John or myself if you have questions or require additional technical information. Sincerely, MyCompany L.L.C. pdolan@MyCompany'snet.com Acceptance of this proposal and statement of work is acknowledged by your authorized signature below. ___________________________________ Accepted By __________________ Title ____________ Date

The Assessment Questions and associated appendix.

Read this doc on Scribd: Assessment Questions
Assessment Questions: Servers Vendors and models. yes no comments Are servers up to date with patches? What services are open? Are the services needed? Is/Are the device/devices positioned correctly in the network? What are all secure and non-secure interfaces? What is the history of the servers? Is there a process for making any changes? Who is responsible for account management? Are the logs being checked? Who is responsible for reviewing the logs? What are password policies for the network? What is the physical security of the server equipment? Backups / UPS What type of backups and rotations are in place? Are the tapes stored off-site or on site? Is the data encrypted and/or secure? Is there an emergency data recovery plan? Is there power failover protection? Virus / Spam / Spyware What brand/version of virus protection is present? How often are the definitions updated? Are the updates automatic? What brand/version of spam protection? Is there spyware protection? Does the company have an internet / acceptable use policy? Firewall Vendor and model. Is system up to date with patches? Is the position in the network correct? Is there IDS present? Is logging enabled and checked? What ports are open/forwarded and to what hosts? WAN What type of logs can we get from the ISP? What type of monitoring is done on the connections? May we perform vulnerability scans on these devices? Can we obtain routing information? LAN What are the standards of cables used? What is the network topology? i.e. Bus, Linear, Star, Hybrid, Mesh, Ring What is the layout of cabling and devices? What types of routers, hubs and switches are used? Do they have user name and password to access? Is change management used when changing routers or switch configurations? Who approves these changes? What is the policy regarding connecting to LAN? What is the policy regarding activating ports? Who has access to physical space? Is there a policy for connecting external vendors to the LAN? Is physical security practiced properly for accessing premises and process for activating and deactivating badges, LAN ports and LAN connection drops? If there is Wireless access, is encryption used? If so, what type? Are workstation applications and OS patched? Is there change management at the workstation level for hardware/software? Is there Virus/Spyware protection at the workstation? Is it managed by IT, or user level?

Read this doc on Scribd: Appendix A
Appendix A Security Assessment Component Type Business Impact Analysis Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Observations Recommendations Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place?

Then I put together a process sheet those that needed it, mainly for the junior engineers.

Read this doc on Scribd: GFI LanGuard HowTo (brief)
Security Audit How-To • Network Setup Monday, March 21, 2005 You will need to be connected to the network, and have GFI LanGuard N.S.S. installed in order to perform these tasks. If you don’t have these installed, get one of the internal engineers to assist you in the installation and configuration. Once you are setup, at your client’s location, you will have to connect to a network, probably through a CAT 5 connection in their server-room at a switch/hub, or at another location in the office area. It is necessary to be connected to the LAN that the rest of the workstations on the domain are connected to. You will also need a domain administrator’s username and password. If the clients IP addresses are served via DHCP, then you can simply start scanning with GFI. If not, you will have to find out what the address scheme is from a workstation on the LAN. The easiest way to do this is by going to Start, Run…, and type cmd in the open box. Then click the OK button. Once your CMD window is open, type the command ipconfig /all. You should get a screen that looks a little like this one. You may have to click the “maximize” button to see all of it. The Maximize button----- The best way to change your IP is to go to Start, Control Panel. Once in control panel, go to Network and Internet Connections in Category View (Windows XP), or Network Connections in Classic View (Windows XP, 2000). Find the device called Local Area Connection, right click, and choose Properties. You should see a window like this. Next, highlight Internet Protocol (TCP/IP), and click the Properties button. Click the “Use the following IP address, and type in similar settings to that of the machine you checked, but make sure that the last number of the IP is different. No two machines with the same IP address are allowed on the network, so you may get an error if you choose one that already exists. If so, just change the last digit of the IP until you get no error. Duplicate all the rest of the settings, like Subnet Mask, Default Gateway, and DNS servers. • GFI Setup If you don’t have GFI set up for reporting, you need to do this step. Open GFI LanGuard N.S.S. rightclick Scan Filters and click New, Filter… Give your filter a meaningful name, like MyCompany. Then, exclude your workstation from all scan reports by clicking Add and selecting the Hostname option and clicking next. Change the condition to read “Not Equal To”, fill in your machine name, then click Add. Now you must select the correct items to report on. Select all the items pictured below. The left screen shows the first few items, and the right is simply a scrolled view. Make sure everything beneath Vulnerabilities is selected. Click Ok when you are done. The next step is to perform the GFI security scan. Run GFI LanGuard Networks Security Scanner. If you are in a domain, choose alternative credentials, supplied by the contact, i.e. the domain admin in the Using box. Next, type in the domain\username in the User Name box. Finally type in the password in the Password box. If you are NOT in a domain, select “A Null Session” from the Using box. Then in the Scan Target box, type in the IP range of the network, discovered by setting up your PC manually, as shown on page one, or open a CMD window, and obtain that information, again as outlined on page one. Enter the IP range, as in the example below. Press the Scan button. It will take approximately 40 minutes for a 25 PC environment. Once it is completed, you will see something that looks like this. Click on the MyCompany Scan Report and review your new scan.

Funny thing is, after we'd stop in and perform our tests, show the customer where they were vulnerable, they were still reluctant to sign.

Boggles my mind, especially after I was able to get into a SMB unprotected wireless environment, find a vulnerable workstation, and show the owner a spreadsheet of his employees salaries. SCARY.

Symantec Endpoint Protection...is a PIG

I just spent the last few days troubleshooting a Symantec Endpoint Protection migration from Symantec Antivirus Corporate Edition v10.x. What an effort.

Much like the last time I upgraded a client from 9 to 10. They conviently forgot to include "May bring your older, underpowered workstations to their KNEES." in the product description. That client had about 25 workstations that were old HP workstations, runnning Windows 2000 on 256kb RAM and 500mHz CPU's. Once they started up, the "Startup Scan" would bring the machine to a crawl, and only perform well when it completed, which for those old things was quite a while. Nice of them to release a registry hack to disable that...then they release a config option in the next patch...NICE. Also forced the client to bump all the workstations RAM to 512. Nice for my billable hours, but not for their non-profit wallet.

This time the environment is much different, and I "own" it. That is to say, I'm back to an in-house position, no longer consulting. My AV server has 2gb of RAM, a 3gHz Xenon processor, and lots of drive space...which is too bad because after learning more about this product, I've found it is a resource HOG.

Check out these numbers: http://www.symantec.com/business/products/sysreq.jsp?pcid=2241&pvid=endpt_prot_1

Holy Crap! What if I wanted to run Exchange?

Not only did they release this bloated replacement, but they did so horribly broken. The SEPM (manager component) only works from the console. Can't get my graphs to display through Terminal Services (RDP), and after troubleshooting with Symantec staff, eventually broke it and was forced to re-install and re-configure TWICE. OMG, not again... If I didn't have maintenance on this thing, I would have fallen back to Trend. At least they have a product that installs clean. Hell, it'll even remove the Symantec clients from the workstations. Very SLICK.

It also messed with my DC / App server. Kept blue screening. The dump files didn't point to any specific driver, but when I uninstalled the SEP client, and installed the old 10.x client in stand-alone mode, my BSOD problems went away. MMmmm, imagine that. I won't be letting SEP back on my DC for awhile.

MP2 is supposed to fix this problem, and a few others, but I'm a bit reluctant to patch this now. I mean, geez! Do I really wanna risk breaking the install and my configs again, and have to remove/re-install a third time? I don't think so.

Ok, enough whining....back to work.

Friday, March 28, 2008

More Work, Please.

I've been working quite hard at my new job at Integrated Healthcare Business Solutions. Just a small list of what I've been doing in that time:

  1. Migrate Windows 2000 Domain to 2k3, which required:
    1. New Server and SAN setup.
    2. Migrate Aquarius Document Imaging IIS application and SQL databases to new server.
    3. Migrate Data to new server.
    4. Heavily modify GPO's for new environment.
    5. Deploy WSUS for new environment.
    6. Set up Terminal Services on old server (complete wipe of 2k and new build of 2k3)
      1. This box also does AV (SEPM), Backups (SBE) and supplies us with FlexWiki
    7. Lots more I'm sure I've forgotten by now...
  2. Deploy 2k DC as backup auth server which also serves as:
    1. GFI FaxMaker 12 Fax Server
    2. IAS Server (for our ASA 5510)
    3. FireFTP Server
  3. Deploy a Linux server based on the Debian disto:
    1. Hyperic - server, application and network monitoring/metric tool
    2. Local Postfix SMTP server (Utility mail for GFI, etc.)
    3. Ntop services
    4. Intranet web
    5. Custom compliance reporting (read:whistleblower - Php and MySQL)
    6. Backup to NPI database
    7. Snort IDS
  4. Move Coldfusion site from old hosting provider to another. We hired a company to design a website for us, and after that was finished, I needed to brand our private client portal. I did quite a bit of code cleanup and modifications. I also added a number of Open Source javascript utilities that improved file sorting, controlled user input, and the like. This client portal is a utility used to send files to and from clients in a secure manner, since we deal with PHI.
Lately I've been working on a Joomla site for the American College of Hyperbaric Medicine [New site, Old site]. This involves MANY components, modules and plugins:
  1. Community Builder
  2. AEC
  3. Fireboard
  4. JEvents
  5. Joosurvey
  6. sh404SEF
  7. Xmap
  8. and a number of other mods
I've also purchased a template from Joomlashack.com and hacked it up a bit, added some Flash to make it look pretty, etc.

Whew! Back to work......

Wednesday, March 26, 2008

The Smoke and Mirrors of Server Upgrades

This past semester I had to write a paper for my Technical Reporting class that dealt with communicating technical topics to non-technical persons. This was my attempt.
Read this doc on Scribd: Final Guide
The Smoke and Mirrors of Server Upgrades Prepared by John Croson Contents Introduction ...........................................................................2 Environment Evaluation .......................................................2 Hardware ...................................................................2 Software ....................................................................3 Server Services ..........................................................3 Operating System and Hardware Selection ..........................4 Server Editions ..........................................................4 Server Licensing .......................................................4 Hardware Considerations ..........................................5 Server Selection Tips ................................................6 Server Upgrade and Migration ..............................................7 In-Place Upgrade ......................................................8 Clean Installation ......................................................8 Surrogate Migration ..................................................8 6 – Active Directory Preparation .........................9 7 – Active Directory Installation ..........................10 8 – Data Migration................................................13 10 – Active Directory Migration...........................13 12 – Internet Information Services.......................14 13 – SQL Server....................................................15 Post Installation .........................................................18 Application Migration ...........................................................19 Conclusion ............................................................................19 References .............................................................................20 Glossary of Terms..................................................................21 Page 1 of 27 .: Introduction As time and technology progresses, system administrators find themselves patching software, fixing hardware, installing upgrades, all to avoid the inevitable: THE UPGRADE. This will make management cringe at the expense, users moan that their work day might be disrupted, and system administrators wipe the sweat from their brows realizing their existence for the next 3 to 6 months will be secure. This guide will provide information and tips on Windows 2003 Server upgrades and migrations to include:     Active Directory IIS SQL Applications While this is not a definitive guide on the subject of Windows Server 2003 upgrades and migrations, it will provide consolidated information for systems administrators seeking upgrade guidance. .: Environment Evaluation The first phase of any type of migration is to evaluate your environment. In many cases, patch levels, running applications, and services provided are documented, but my not be complete. Depending on your role in the environment, you could be facing a dire situation. Jack Taugher [9, excerpts from interview], a colleague who is an IT consultant was asked to quote a server upgrade. He was provided some information by the potential client, and drew up a quote. However, when he arrived to deliver the quote, he found the server with the front grill open revealing two IDE drives sitting unmounted, stacked in the case. They were the systems sole drives in a mirrored configuration. Upon closer inspection, one had failed without warning, putting this client at great risk of data loss. Jack informed the customer of the situation, and was immediately hired to rectify the situation. This discovery changed the scope of the migration project, and the quotation. Stabilization of the existing server is vital, and an initial evaluation would have revealed this. .: Hardware Whether you find existing documentation or not, a complete evaluation is imperative, especially if you are planning to upgrade the system software on your existing hardware. There are a variety of tools available to inventory the server hardware. Belarc Advisor [7, resource] has an excellent utility for quickly evaluating the hardware, operating system patch status, and even performing a Center for Internet Security benchmark. Additional utilities for hardware evaluation are also provided by OEM support sites. For example, Dell has a utility that automatically probes for the machines service tag number, and provides a detailed list of the original hardware configuration, accompanied by the current hardware configuration. Microsoft provides the Microsoft Baseline Security Analyzer (MBSA) that is useful for testing the patch status of both the server to be retired, and the new replacement. There are also many vendors of enterprise level hardware evaluation utilities. If you plan to upgrade the system software on your existing server, use the hardware inventory to cross reference the Microsoft Hardware Compatibility List (HCL) [6, resource]. Most major manufacturers of server components will certify those components for use with Microsoft Operating Systems. You should use the Evaluation Worksheet addendum for your inventory, or if you are fortunate enough to have an OEM system that is HCL certified, you need not pour through that extensive list Belarc and other utilities produces. Simply record the server make and model, verify it at the Microsoft HCL website, and ensure that any added components since putting the server into service are also HCL compliant. Print the results from your hardware Page 2 of 27 inventory program and attach it to the Evaluation worksheet. It is possible that some components will not be HCL certified. When this becomes the case, check with the manufacturer for driver availability. They are usually available and reliable. If not, many times Microsoft will provide generic driver support for those devices. Check Microsoft's website and failing that, Google it! .: Software The next step in evaluation is the software. Microsoft's MBSA and Windows Update do a fine job of identifying needed updates, but application software is another matter. Some manufacturers will provide a method of checking for updates. Sun Java, Symantec's Live Update, and some Intel components are examples of software that have automatic update features. Others require that you either run a utility from inside the application, or visit the manufacturer's website for downloadable patches. Use page three of the Evaluation Worksheet for recording all third party applications, their version numbers and patch status. Evaluating the workstations and software used that connect to the server is also important. Patches to the server may impact workstations in many ways. Some server applications automatically update the clients; some require that the clients apply the same patch, but the client portion only. Other client/server applications require no patching on the client side. It's important to understand the applications that run on the workstations, and how they interact with the server. Check the workstations in different departments for installed applications. You are more likely to find the greatest differences between departments and their managers, than simply choosing a couple of workstations in the same area being used by people performing similar tasks. Record your findings on page four of the Evaluation Worksheet. Once this is complete, contact the application manufacturer's and inquire about any compatibility issues with their software and your missing Microsoft patches, and the proposed server environment. Lastly, ensure media or a download location is available for these applications. If the resource is a website, download these files for later use. The last thing you need during a server upgrade is missing software. .: Server Services Observe server load during normal operating hours. This will give you an accurate perspective into processor and memory utilization. If you observe abnormally high usage, identify those processes using the Windows Task Manager, Performance Monitoring, SysInternals Process Viewer [5, Marcin Policht points out these, and suggests www.sysinternals.com for free utilities], or other process analyzing utility. Record your results, and use these findings to ensure your hardware selections are appropriately sized, if you plan to replace your existing server. Inventory the running services on your server as many Windows 2000 Servers have unnecessary services running, consuming resources. Disable any unused services, and note those services needed, since the default Windows Server 2003 installation has very few services enabled, unlike Windows 2000 Server. Use Xnetstat, or similar utilities to determine listening ports and the program associated with created the listening socket. They will provide clues to services that may not be listed in the Windows Services Microsoft Management Console (MMC). Some services are run using scripts or other methods upon server startup. Once those programs are located, check the file properties, and research the program. Again, Google is an invaluable resource for locating this information. The Microsoft Management Console can export its contents to a text file; doing so with the service list will render a nicely formatted file, which can be opened in Excel. Simply right-click the Services object in Computer Management, and choose Export List. This can be either a tab delimited or comma separated value export. Attach this list to the Evaluation Table, noting any services not in this export on page five of the Evaluation Worksheet. Page 3 of 27 .: Operating System and Hardware Selection Now that the environment has been documented, your operating system can be chosen. You may also be choosing a new server, if your upgrade plans include one, so hardware needs will also be considered. .: Server Edition Microsoft's Server 2003 comes in a number of editions, based on your needs. Listed below are the editions, along with a brief description of the differences.  Windows Server 2003 Web Edition – Primarily used in single server, unclustered web server environments. Will not provide many services necessary in a client/server environment. Hardware limited to 2 processors, and 2 Gigabytes of RAM. Windows Server 2003 Standard R2 – Designed for small to medium sized businesses. Supports up to 4 processors, and 4 Gigabytes of RAM. Provides file, print, and application deployment. Windows Server 2003 Enterprise R2 – Designed for medium to large sized businesses. In addition to providing the same services as Standard, support is expanded to 8 processors, 32 Gigabytes of RAM and 8 node clustering. The 64bit version of this edition increases support up to 1 Terabyte of RAM. The enterprise edition also provides the ability to hot-add supported hardware. This is important in an environment where server downtime is not an option, and allows one to add, install, and configure hardware without shutting the server down.   .: Server Licensing Licensing your new operating system can be a bit complicated. First, your existing Windows 2000 Server licenses are not transferable, so you will be required to purchase new ones. To begin, you must first understand the basics of the Microsoft Licensing model:   Every installation of Microsoft Server 2003 requires a server license. A Windows Server 2003 Client Access License (Windows CAL) is required to access or use any resource on the server. A Windows CAL is not required for unauthenticated access to the server. An example would be accessing a web site on the server where no identifying credentials are exchanged. A Terminal Server Client Access License is required to use Terminal Services in application mode, i.e. hosting a GUI for remote user access, except for a console session. Some changes that occurred in the release of Windows 2003 Server Edition: The introduction of the Device Client Access License (Device CAL), and the existing User CAL. You can choose to purchase a User CAL for every named user accessing your server, or a Device CAL for each device. TIP: For the best value, use this example when choosing a licensing method. A factory with 20 computers that are utilized by 3 shifts of 200 users should purchase 20 Device CAL's. A company with 20 users utilizing multiple devices like computers, laptops, and mobile devices should choose User CAL's, since the number of devices outnumber the users.     The name for Per Seat licensing mode has been changed to Per Device or Per User mode. Per Server mode is the same, and the mode you choose during the operating system installation will be Page 4 of 27 important. Per Device or Per User mode allows each licensed user to connect to multiple servers. Per server allows as many users as you have licenses for to connect to that server. The rule of thumb is if you have one server, choose Per Server mode, if you have more than one server, choose Per Device or Per User mode. There are also different license types: Volume Licensing, Open Licensing, and Software Assurance. Fortunately, Microsoft's online licensing evaluation tool [8, from the MS licensing website, click How To Buy, and at the bottom of the resulting page, click “Find the right licensing program for you” link] works well at asking you what product you'd like to purchase, the number of users or devices connecting. It then determines what licensing you qualify for, and gives an estimate of the cost. I used the tool, and received an estimate of $1200 for Windows Server 2003 Standard R2 with a 25 User CAL pack. .: Hardware Considerations Whatever your decision might be in the way of OS or Licensing selection, you must still plan for the future. If the user load is 25 employees now, but growth is expected in the future, plan your server install accordingly. Hardware selection is also extremely important in terms of expandability. If the business grows in the next 5 years, the server will be required to handle that load immediately, or have upgrade abilities to meet growing needs. If you decide not to upgrade your server, consider these important questions: 1. How important is your server to your day to day operations? 2. Can you operate for one day without it? What about a week? 3. Is your existing server still under warranty, and if so, for how long? 4. Is there an extended warranty available for purchase? The consideration to using existing hardware for a server upgrade can be argued pro and con. My personal opinion is, if you answered “Very” to question number one, “No” to number two, less than one year for number three, and more than 20% of the servers original cost for number four, then it's time to replace your existing server. A study by the accounting firm McGladrey and Pullen [1, from Darryl Peddles’ article] last year estimated that one of 500 data centers will suffer a catastrophic data loss this year. Of those, 50% are expected to go out of business. Considering that fact, the price to pay for a new server is a drop in the proverbial bucket. Another argument from the “Don't be Cheap” camp is this story from Jack Taugher [9, excerpt from interview]. A client owned a Compaq server that was relied on quite heavily, and the warranty was set to expire soon. The customer decided not to renew, since the server was slated to be replaced in six months. Shortly after the expiration of the warranty, a fan failed on the server, causing it to go down, and not be available for use. Normally when a server is under warranty, the process of replacing parts is quite simple; call the manufacturer, and a part is in your hand in four hours. In this case, they waited three days for the fan to arrive, only to find it was incorrect. Another fan was shipped FedEx, installed, and the server was back up and running. The entire process took one week, approximately 7 days longer than they desired to be without the server. Hardware selection should be made carefully. In most cases, if your existing server wasn't overloaded, and is of a typical replacement age ( 3 to 5 years old ), you will likely find yourself purchasing one that is much more powerful, simply because of the advances in technology. Page 5 of 27 .: Server Selection Tips 1. Processor Speed and Type 1.1.This will primarily be determined on the performance of the old server. If utilization on the old server approaches 30% or more, carefully determine the reason. If it is because services and applications are driving the utilization up, and the server contains adequate RAM, a faster processor is in order. 1.2.Dual processors can improve performance dramatically, as well as choosing a 64 bit environment. BENEFITS: Performance and useful life. 2. RAM Considerations 2.1.Double, and if possible, triple the RAM for your new server. BENEFITS: Performance will increase, and ultimately productivity: If your applications run faster, your employees productivity improves, which directly affects the bottom line. 3. Hard Drive Space and Configuration 3.1.Ensure your allocation for drive space is at least twice the size they are now, preferably larger. BENEFITS: Your data growth will increase, preparing for it now saves time and money in the long run. 3.2.Configure your system and data drives in RAID 5, with a fourth used as a hot fail-over. BENEFITS: It's a cost-effective solution, and serves to provide good protection against data loss. NOTE: Some will argue that the system be installed on a pair of drives configured for RAID 1, and three drives in RAID 5. This equals no fail-over drive, and purchasing an additional, fifth drive. Choose your comfort level, and budget accordingly. 4. Tape Drive 4.1.While RAID 5 offers redundancy, it should not be treated as a failsafe method of data storage. Data backups are still imperative. 4.2.Choose a tape drive that is capable of backing up your entire data drive onto one tape cartridge. If your data size exceeds a single cartridge, consider a tape library. 4.3.Consider a backup solution that provides Intelligent Disaster Recovery. These options will typically allow you to recover all your data in a “bare metal recovery” scenario, i.e. All your disks fail, and you need to restore all data to fresh drives. 4.4.Review your current backup scheme. Daily full backups with a five tape rotation are not good practice. A better solution is Grandfather, Father, and Son. Daily, or Son backups, are rotated daily with one graduating to Father once a week. Weekly, or Father Backups, are rotated weekly with one graduating to Grandfather once a month. Monthly, or Grandfather Backups, are rotated out quarterly for off-site storage for disaster recovery. BENEFITS: When your server crashes, and you perform a full restore while your boss looks over your shoulder, you'll thank me. Enough can't be said about expandability and meeting expected server demands when installing a new server. It's far better to over-purchase, than to have to purchase more components later, to extend the usefulness of your investment. Page 6 of 27 .: Server Upgrade and Migration According to Microsoft, there are two methods to migrate and upgrade a server [3, from “Upgrading from Windows Server 2000 to Windows Server 2003”]. They are In-Place and a Clean Installation. I prefer a clean installation in all cases, since in-place upgrades usually always result in issues of some type. This can pose a problem if you choose to keep your existing hardware, since a Clean Installation would require that you recreate your environment from scratch. This is why I have used a “Surrogate Migration” in cases where the source server is the only one in the environment, and experiencing issues. It provides the users in an unstable environment a solid source of server services during a “rescue” attempt. In an ideal situation, you will have a new server purchased from an OEM distributor that has already preinstalled Windows Server 2003 for you. This will eliminate step 2 in the Surrogate Migration, but not the substeps, i.e. 2.1 a, b, and c.  In-Place Upgrade onto existing hardware - Performing an in-place upgrade may at first glance be an attractive possibility. Pros:   Any existing permissions, users, groups, rights, and windows settings are preserved. Active Directory component upgrade is automated, and most networking services are upgraded seamlessly as well. Applications and files do not need to be re-installed. Any known or unknown issues that reside in software or hardware remain.  Cons:   Clean Installation onto existing hardware Pros:  If you keep your existing server, reformatting the hard-drive may improve performance, and give you a clean environment. You can also modify the hard-drive partitions to better serve the size and number needed to meet your requirements. Migration of Windows components is more time consuming, since they will be manually re-created. All applications will need to be re-installed and re-configured, requiring documenting application settings. Any known or unknown issues that reside in hardware remain in the environment.  Cons:     Surrogate Migration, back to originating server – This option is used when the complexity of Windows services or other applications must be maintained and tested before removing the source server, or in server emergency situations where an unstable source server must quickly be relieved of it's duties. Pros:  In a single-server environment with many users, computers, customized installation deployments, and security settings can be tested and migrated. Benefits from a clean installation.  Page 7 of 27 Cons:   All applications need to be re-installed and re-configured. Twice. Any known or unknown issues that reside in hardware remain in the environment. .: In-Place Upgrade Performing an in-place upgrade is similar to the Surrogate Migration steps, with exception to step 6, which is not needed. Insert the Windows Server 2003 disk, and if the Windows Server 2003 menu appears, choose to Upgrade to Windows 2003. If not, navigate to the CD drive location in My Computer, and run the autorun.exe application. The process is similar to a fresh installation, with the exception of selecting the Upgrade option at the beginning of the process. The process is approximately as long as a fresh installation. .: Clean Installation Performing a clean installation is similar to the Surrogate Migration steps, with exception to step 6, which is unneeded. At the beginning of the installation process, take the opportunity to review the partitions, choosing a partition method that meets your needs, and reformat all drives to the NTFS file system. Your system drive (usually C:) should be about 20gb in size. .: Surrogate Migration You will need a surrogate machine, so choose something with reasonable speed and drive space, adequate to store the data and applications currently stored on your existing server. Choose a workstation that can handle some load if your upgrade process becomes problematic, and requires more time than the upgrade window provides. You may actually have to use it as a temporary server. 1. Backup - First and foremost, backup your old server, in it's entirety. 2. Install Windows Server 2003 - On the surrogate machine, install Windows Server 2003. Choose the Per Device or Per User licensing model during the installation. Install the following components from Add/Remove Programs, Windows Components after the installation is complete: 2.1.From Windows Components in Add/Remove Programs choose the following: (See Figure 1). Figure 1 Page 8 of 27 a) DNS b) DHCP - Copy settings from the Windows 2000 Server. If this is a complex setup, refer to Microsoft Knowledge Base article, KB325473 for migration steps. IMPORTANT TIP: Make sure that while the retiring server is in use, that this machines DHCP services DO NOT START. Microsoft DHCP service is not very intelligent, and will shut down if it sees another DHCP server on the network. DO NOT ACTIVATE THIS SERVICE. c) WINS 3. Patch Servers - Assuming you checked with the application vendors for patching servers and applications proceed to patch this server, and the Windows 2000 Server to current levels. 4. Time Settings – Ensure both servers are either synchronized to the same Network Time Protocol (NTP) servers, or manually set the time on both machines to the same time. 5. Disable Anti-Virus – Disable any anti-virus programs running on the server, to avoid possible issues during migration. 6. Active Directory Preparation - Before you can install Active Directory (AD) components on this new “server”, you must first prepare the Windows 2000 server by updating the schema [4, screen shots used by permission of Daniel Petri]: 6.1.Insert Disk 2 of the Windows Server 2003 disk set into the Windows 2000 Server that holds the Infrastructure Master FSMO role. If this is a single server environment, then insert the disk. If not, and you are unsure, refer to Microsoft Knowledge Base article KB234790 for instructions. 6.2.From the CD-DRIVE:\CMPNENTS\R2\ADPREP\ directory run adprep.exe /forestprep, where CD-DRIVE is your cdrom drive. Note the output in Figure 2 and 3. Figure 2 Figure 3 6.3.Now that the /forestprep is complete, run adprep.exe /domainprep. The output is very brief, Figure 4: Page 9 of 27 Figure 4 6.4.After running ADPREP command, open %systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there are error messages that might need to be resolved. 7. Active Directory Installation [2, referenced from the Windows Server 2003 Active Directory website] - On the surrogate server go to Start, Run, and type dcpromo.exe in the run box and clicking OK. This will start the Active Directory installation wizard. The first window will be introductory. Click Next. 7.1.Domain Controller Type - Domain Controller for a new domain, or creating an additional Domain Controller for an existing domain. See Figure 5. IMPORTANT NOTE: If your Active Directory environment has been determined through your investigation to contain errors, you will want to consider creating a new domain. This choice creates more work, but will eliminate the possibility of migrating bad data. Figure 5 7.2.Network Credentials - Enter the credentials of a user that has rights to add this Domain Controller to the domain, and the domain name. Click Next. See Figure 6. Page 10 of 27 Figure 6 7.3.Domain Name – Enter the domain name, or click browse to locate it. Click Next. See Figure 7. Figure 7 7.4.Database and Log Location - Select the defaults, and click Next. See Figure 8. Figure 8 7.5.SysVol Location – Select the default location, and click Next. See Figure 9. Page 11 of 27 Figure 9 7.6.Directory Services Restore Mode Administrator Password – Type it in, document it, and click Next. See Figure 10. Figure 10 7.7.Summary Page – Review the summary, and click Next. 7.8.Configuring – Wait for this to complete. See Figure 11. Figure 11 7.9.Completed – Click Finish. 7.10.Reboot – A reboot is necessary to complete the installation of Active Directory Page 12 of 27 components. 8. Data Migration – Use Robocopy, a free utility from Microsoft provided in the Windows Server 2003 Resource Kit [10, resource], to transfer all files from file share locations existing on the old server to the surrogate server. Set up the file sharing by referring to the old server. Take this opportunity to clean up your logon scripts. There are many great alternatives to batch scripting technology, and allows for simplified advanced configuration techniques. Kixtart is an excellent example of this, with a tremendous peer support group, and excellent documentation. TIP: A quick method for recording a list of existing file shares is to open Computer Management, expand the Shared Folders object, right-click the Shared and choose Export List option to export a list of Shared Folders in text format. Another option is to open a shell window, and type 'net share > c:\shares.txt'. This creates a similar list in C:\, called shares.txt. TIP: There is a free-ware Graphical User Interface to the shell utility Robocopy, found on SHSOFT's website [11, resource], in the Tools section. This greatly simplifies the copy process. 9. Migrate Printers – If your environment is complex, you can use the Printer Migrator v3.1, a free download from Microsoft. If not, install those printers manually on your surrogate server. 10. Active Directory Migration – If you chose to create a new domain, you will migrate all workstations, users and groups to the new domain using the Active Directory Migration Tool v3.0, found on the Microsoft Server 2003 installation disk, in the i386\ADMT folder. 10.1.Requirements for user running tool: a) Administrator rights to source domain, and all computers that will be migrated. b) All computers you plan to migrate must have the administrative shares C$ and ADMIN$ available. c) You must be a member of the local administrators group. d) The source domain must trust the target domain. Set up this trust in the Active Directory Domains and Trusts MMC snap-in. 10.2.OPTIONAL – These steps are not required, but may ease the migration process. a) Create a local group in the source domain, named %sourcedomain%$$$. This group must be empty. b) Turn on Auditing for the success and failure of account management on both domains in the Default Domain Controllers Group Policy. This will aid in any troubleshooting in the event of failures. c) Configure the source domain to allow Remote Procedure Call (RPC) access to the Security Accounts Manager (SAM) by configuring the following registry key on the Primary Domain Controller (PDC) Emulator in the source domain with a value of ‘1’HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupport. Reboot the Domain Controller after this change. d) You may also choose to migrate passwords by using the password migration DLL: • On the server where ADMT is installed, in a shell window, run 'admt key SourceDomain path [* | password]', without quotes, where ‘SourceDomain’ is the NetBIOS name of the source domain, and ‘path’ is the local location for the exported key file (.pes). Page 13 of 27 • • • • Move this exported file to the new server that should have ADMT installed. Insert the Windows Server 2003 disk in the new server, and run pwmig.exe from the i386\ADMT folder on the CD to install the Password Migration DLL. You will be asked for the location of the .pes file you moved to this server. After the installation completes, you are required to restart the server. To migrate passwords, modify the following registry key to have a DWORD value of ‘1’. HKLM\System\CurrentControlSet\Control\LSA\AllowPasswordExport 10.3.ADMT Failure - If using ADMT fails to migrate the users, groups, and workstations to the new domain, you must create the users and groups by hand, in the Active Directory Users and Computers MMC snap-in, on the new server. You must also join each workstation to the new domain, and use “brute force” methods to retain user profile settings on the individual workstations. Windows XP user settings are typically stored in the C:\Documents and Settings\’UserName’ folder, where ‘UserName’ (without quotes) is the users logon name. Follow the guidelines below for the process. • • • As a domain administrator, log on to the workstation, and join it to the new domain. Reboot the workstation when prompted. Log on as the user that needs their profile migrated. Reboot the workstation, as this will release any file locks in that profile directory. Log in as a domain administrator. Look in the “C:\Documents and Settings” folder for two profiles that match the users login name. The old profile will be named ‘UserName’, or ‘UserName.OldDomainName’. The new profile will be named ‘UserName.DomainName’. Copy all files from old profile directory to new profile directory. You will likely need to take ownership of these files to be successful. Optionally, you may try these tools provided by Microsoft to automate this. I have not used them, so cannot attest to their usefulness. • • Moveuser.exe from the Microsoft Server 2003 Resource Kit [10, resource] will move local user profiles to domain user profiles. This method is documented to have issues at times. Your mileage may vary. User State Migration Tool (USMT) [12, resource] will migrate user states from old XP workstations to new ones. There are many options to choose from, so read the documentation carefully. • 11. DCPROMO - Run dcpromo.exe on the Windows 2000 Server after Active Directory Replication is successful, to remove Active Directory from this server. Check the event logs for information regarding the process. 12. Internet Information Services – The most reliable method to migrate Internet Information Services (IIS) settings is with the shell utility, IIS 6.0 Migration Tool, provided free from Microsoft. The tool transfers configuration data, Web site content, and application settings to a new IIS 6.0 server. 12.1.Additional configuration will be necessary, after using the utility, since these items will not migrate [13, referenced from Alexander Zubair, “21 Things IIS 6.0 Migration Tool Doesn’t Do”]: a) The FrontPage Server Administrator account is not migrated, and will need to be replicated manually. Additionally, web sites with custom security settings pertaining to FrontPage Server Extensions, they will to be configured on the destination server. b) IIS 5.0 Registry Settings – Only settings in the metabase are migrated, not registry settings. Page 14 of 27 c) If any local security accounts were specified to be used in replacement of the Anonymous User, or WAMUser, these will have to be manually created at the new server. d) MIME Types e) Digital Certificates f) ISAPI filters or extensions that do not reside within the migrated content. Additionally, you will have to enable any filters or extensions, since by default none are enabled in IIS 6.0. g) If the Windows installation directory (WINNT, WINDOWS, etc) is different from source to destination, the metabase references to these locations will need to be changed. h) Virtual Site sub-directory's path cannot be changed, only the site root. Ensure destination drives exist, since the tool will attempt to migrate the data to those locations. In the event the destination drive doesn't exist, manually copy the content, and update the metabase. i) Log files. j) Web application DLL's. k) ASP.NET process model settings. l) Files or content that reside out of the web root. m) Databases, and ODBC connections. 13. SQL Server – There are two methods for migrating SQL databases. First, ensure the new server has SQL installed, and running properly. Secondly, ensure both servers are patched to identical levels, and choose one of the methods below for transferring the data. 13.1.Data Transformation Services - The SQL Server database migration is most easily performed with the Data Transformation Services (DTS) in SQL Enterprise Manager. This facilitates the transfer of the database information from one server to another. Using the DTS wizard, one can set up the transfer of a database to another SQL server in minutes. a) Open Enterprise Manager. Expand the server object, and drill down to the databases. Rightclick the target database, and select properties. Right click again, select All Tasks, Export. The DTS wizard appears. Click Next. b) Choose a Data Source – Your default data source, server, database and authentication method will be automatically selected, check them to be sure. Click Next. See Figure 12. Figure 12 c) Choose a Destination – Select the destination server from the Server drop-down box. If the Page 15 of 27 destination database has already been created, select it, otherwise select . See Figure 13. Figure 13 d) Create Database – Create your destination database by typing in the name, and click OK. See Figure 14. Figure 14 e) Specify Table Copy or Query – Select the last option to copy all database objects and data to the new server. Click Next. See Figure 15. Figure 15 f) Select Objects to Copy – Accept the default options, and click Next. See Figure 16. Page 16 of 27 Figure 16 g) Save, Schedule, and Replicate Package – These options allow you to either immediately start the transfer, schedule it for a later time, or even set up a database replication schedule. Choose the default, and click Next. See Figure 17. Figure 17 h) Summary – This window summarizes your choices. Click Next to start the transfer. See Figure 18. Page 17 of 27 Figure 18 13.2.Data Copy Method - You can “forklift” the database, physically copying the database and transaction logs to a new location. a) Using SQL Enterprise Manager, find your database in the server object list, right-click it, and choose Properties. The Data Files tab and Transaction Log tab indicate file name, and path. Note these for the next step. b) Right-click the database, select All Tasks, Detach Database. Copy the .mdf database and .ldf transaction log you noted in the previous step to a location on the destination server. c) Once the data is copied, use SQL Enterprise Manager to attach to the migrated data by expanding the server object, right-clicking the Database folder, and selecting All Tasks, Attach Database. IMPORTANT: Whatever method you use to migrate the database, it is imperative that you contact any software vendors that created databases to determine if any machine specific information is contained therein. Examples of this could be UNC paths, machine names, or other information that could adversely impact application performance. .: Post Installation Once you are satisfied that your new server is correctly installed, configured, and all Microsoft components are migrated to the new server, refer to the Application Migration section below for potential techniques in this phase. If you chose the Surrogate Migration, perform a fresh installation of Windows Server 2003 on your old Windows 2000 Server machine. Ensure you refer to the Clean Installation section above for tips. Step through the Surrogate Migration steps to migrate application and Windows settings back to the original server. Finally, demote the surrogate server, by running dcpromo.exe, and remove it from service. Page 18 of 27 .: Application Migration Application migrations vary in complexity. It's best to involve the manufacturer of the software if possible, since they will be aware of any nuances special tools available for use, but this is not always possible. Check the manufacturers’ website, and consult peer groups if possible. Migration could be a simple matter of installing the application onto the new server, ticking a few boxes, and pointing it to the new SQL databases. If there is a client component, it will likely involve changing software settings on the workstations. Some applications are custom Access databases, FoxPro, or similar. These applications will always require the help of the developer because of modifications that typically occur over time, which may adversely affect the migration process. If the developer is not available, or documentation is poor, a fair amount of investigatory work will be in order. This usually involves meticulously combing through the Windows registry for pieces of the installation, exporting those hives to the destination server, copying all of the data files over, and running the program through it's paces, waiting for errors. These errors will be significant clues to missing files that are needed for a successful migration. Diligence will pay of in many cases, making you look like a hero when the application is finally migrated. Many software manufacturers make migration utilities to simplify the migration process. Trend Micro and Symantec integrate tools for their enterprise anti-virus (AV) suites that allow for the copying of configuration and moving managed workstations from one AV server to another. Other techniques might involve capturing screen shots of an applications setting for documenting the setup. Once the new server has the software installed, the configuration settings are then set by hand, referencing said screen shots. Lesser encountered situations of migration issues are custom or legacy applications that require elevated privileges to run. Tools such as Filemon and Regmon, that monitor file and registry usage can help pinpoint possible issues, and isolate the privileged environment [5, from Marcin Polichts’ article “Deploying Windows XP, Application Migration”]. As in all migrations and upgrades, test all applications before assuming they’ll work. .: Conclusion This document sheds more light on the process of server upgrades, and consolidates some of the reference material in one handy location for your next upgrade project. My hope is that you learn that there is more than one approach to this type of project, and while you may not agree everything written, some of it will present value. I know I have learned more about this process, and the value in performing complete research into it before hand. Page 19 of 27 .: References [1] Darryl Peddle, “Coping with a serious data loss from your computer hard drive”, HomeNetworkHelp.info, retrieved 6 Nov 2007 . [2] “Windows Server 2003 Active Directory”, Microsoft Corporation, retrieved 21 Oct 2007 . [3] “Upgrading from Windows Server 2000 to Windows Server 2003”, Microsoft Corporation, February 2003. [4] Daniel Petri, “What do I need to do to prepare my Windows 2000 forest for the installation of the first Windows Server 2003 DC?”, petri.co.il, retrieved 6 Nov 2007 [5] Marcin Policht, “Deploying Windows XP, Application Migration” in Server Watch, 3 March 2005, retrieved 21 Oct 2007 . [6] “Windows Server Catalog of Tested Products”, Microsoft Corporation, retrieved 22 Oct 2007 . [7] “Belarc Advisor – Free Personal PC Audit”, Belarc, Inc., retrieved 31 Oct 2007 [8] “Microsoft Volume Licensing Home Page”, Microsoft Corporation, retrieved 9 Nov 2007 [9] Jack Taugher, VP, Air Technology Services, Brookfield, WI, telephone interview, 26 Oct 2007 1. How long have you been in the IT field? 2. Which was the most difficult server upgrade you've performed? 3. Which was the easiest? 4. What tip would you give someone about to perform an Active Directory migration? 5. Do you have a preference in server hardware, and if so, which manufacturer and why? 6. What legacy application migration insight can you provide? 7. What resources to you commonly use for information? [10]“Windows Server 2003 Resource Kit Download”, Microsoft Corporation, retrieved 7 Nov 2007, [11]SH-SOFT Corporation, retrieved 7 Nov 2007, [12]“User State Migration Tool Download”, Microsoft Corporation, retrieved 7 Nov 2007, [13]Zubair Alexander, McCann Enterprises LLC, “21 Things IIS 6.0 Migration Tool Doesn't Do”, TechGalaxy.net, retrieved 7 Nov 2007, Page 20 of 27 .: Glossary of Terms   Active Directory – Microsoft's implementation of LDAP directory services. Cluster – A group of loosely coupled computers that work together in a way that they can be considered as if they were a single computer, typically performing load-balancing, or highavailability. DHCP – Dynamic Host Configuration Protocol. This is a protocol used by network devices to obtain IP addresses, and additional information such as DNS server, routing information, and subnet mask from a DHCP server. DLL – Dynamic Link Library. Files that contain shared library information. DNS – Domain Name Service. Think of this as the phone directory of the Internet. Where your name in the phone directory is associated to a phone number, Domain Name Service associates a domain name like www.google.com to an IP address. FSMO – Flexible Single Master Operations, the acronym that describes the five roles in Active Directory:          Schema Master Domain Naming Master RID Master PDC Master Infrastructure Master  IP - Internet Protocol is a data-oriented protocol used for communicating data across packet switched network. LAN – Local Area Network. Denotes a small, private network. MBSA – Microsoft Baseline Security Analyzer. Freely downloaded from the Microsoft website. Will scan a target machine, and provide a list of missing patches, known security issues, and detailed instructions on resolving those issues. NetBIOS – Network Basic Input/Output System. Allows applications on separate computers communicate in a LAN environment. OEM – Original Equipment Manufacturer. Paging – The Windows method used for virtual memory allocation. Primary Domain Controller – The server that houses user, group, and machine accounts. RAID – Redundant Array of Inexpensive Disks. These are two or more disks combined using special hardware to appear to be a single logical disk. Provides redundancy, but not designed for data protection.         RAID Levels ■ RAID 0 – Data spread across many disks, improving data access. Example: 3 disks of 20GB combined appear to be a single 60GB disk. DANGEROUS: If one disk fails, ALL DATA IS LOST. RAID 1 – Disk A is mirrored to disk B. Highest overhead of all RAID levels, but very redundant. RAID 5 – Data spread across three or more disks, with parity. Highest read rate, medium ■ ■ Page 21 of 27 write rate, high efficiency.  RAM – Random Access Memory. RAM is used for storing data in a computer. It is random and volatile, loosing whatever it holds when power is lost. Measurements of RAM are in Megabytes, Gigabytes, and Terabytes. RPC – Remote Procedure Call. A technology that allows execution of remote processes across shared networks, usually on another computer. SAM – Security Account Manager. A database present on servers that store user accounts and security descriptors for users on the local computer. SQL – Structured Query Language. The language used by nearly every database server on the market today, used to retrieve and manage data in relational database systems. UNC – Uniform Naming Convention. A common syntax that describes the location of a network resource, such as a printer, directory or file. WAN – Wide Area Network. Denotes a large network, crossing public networks. The largest and most recognized example of this is the Internet. WINS – Windows Internet Name Service. Microsoft's implementation of NetBios name server on Windows.       Page 22 of 27 Hardware Component Serial Port Adapter USB Controller Pointing Device Keyboard Smartcard Reader ISDN Modem DSL Modem Wireless Modem Video Card Monitor LAN Card WAN Device Wireless Device ATM Adapter Printer 1 Printer 2 Printer 3 Printer 4 Printer 5 Scanner Sound RAID Storage Storage Adapters and Controllers Hardware Based RAID (Storage Array) Optical Disk Drive Hard Disk Drive Tape Drives Medium Changer Removable Storage iSCSI Boot Component Bridge UPS Page 23 of 27 Manufacturer Model HCL Verified? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Yes Yes No No HARDWARE NOTES Page 24 of 27 Software Name Manufacturer Version Patches or Updates Available? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No No No No No SOFT WARE NOTES Page 25 of 27 Workstations Department Asset or Workstation # User Name Special Configuration WORKSTATION NOTES Page 26 of 27 Services Service Name Associated Program Manufacturer Start Method SERVICES NOTES Page 27 of 27