Migrating a Windows NT Server to NetWare
Articles and Tips: article
01 Apr 2001
One of the most common tasks network administrators face today is consolidating servers. Many organizations are purchasing new enterprise-class servers that can effectively perform the workload of multiple existing servers. In many cases, organizations are consolidating one or more Windows NT servers to a single NetWare server.
In addition, with the release of Windows 2000, many organizations are reevaluating their server strategy. Some of these organizations are deciding to migrate to NetWare, rather than upgrading their Windows NT servers to Windows 2000 servers.
For years, networks administrators have struggled with migrating Windows NT servers to NetWare. Because no one offered a simple migration utility, network administrators were forced to identify creative solutions for performing this migration. For example, many network administrators used the NDS for NT installation program to automate a part of this migration. (NDS for NT is now called Novell Account Management.) The NDS for NT installation program reads all of the usernames and groups from the Windows NT domain and migrates them to NDS eDirectory.
But what about the data? To migrate the data, you had to manually copy the data from the Windows NT server to the NetWare server.
And what about rights to the data? To migrate rights, you had to write all of the Windows NT usernames and groups and their associated rights on a piece of paper--not an easy task. You then had to reassign these rights to the corresponding users and groups in NDS eDirectory. This "solution" leveraged the highly evolved PNTP--paper napkin transfer protocol.
This process was not only difficult and time-consuming but also prone to error. Even if you were successful in performing each of these tasks, you were far from being done. What about users' home directories and roaming profiles?
Novell has solved the problem of migrating Windows NT servers to NetWare with the release of NetWare Migration Wizard 4.0. This utility enables you to completely migrate a Windows NT server to a NetWare server with only a few clicks of the mouse. NetWare Migration Wizard 4.0 automates all of the tasks listed above, allowing you to consolidate servers quickly and completely.
Note. Novell provides two upgrade utilities on its web site. The first utility is the Novell Upgrade Wizard 3.1, which migrates existing NetWare servers to new NetWare servers. (You can download this utility from www.novell.com/products/upgradewizard/quicklook.html.) The second utility is NetWare Migration Wizard 4.0, which migrates Windows NT Servers 4.0 or 3.51 to NetWare 5.1. (You can download this utility from www.novell.com/download.) Novell will release an update to these utilities later this year. This update will combine the functionality of both utilities into one utility.
HOW NETWARE MIGRATION WIZARD 4.0 WORKS
NetWare Migration Wizard 4.0 is a simple tool with an extremely attractive price: It's free. You can download NetWare Migration Wizard 4.0 from www.novell.com/download. The file itself is a little more than 10 MB in size.
After you download the file, you install it by simply double-clicking the file and answering a couple of questions. You will then be ready to migrate a Windows NT Server to NetWare.
The NetWare Migration Wizard 4.0 installation adds a shortcut to the Start menu under Programs/Novell/NetWare Migration Wizard. When you launch this shortcut, you are guided through a series of questions. Your answers instruct NetWare Migration Wizard 4.0 which users, groups, and data you want to migrate and how you want the migration to be performed. These preferences are stored in a project file (.mdb extension), which is actually a database with a Microsoft Access format.
Much of the data that is written to the project file is generated from what is called the Project Window. In the Project Window, you see the Windows NT domain on the left half of the screen and the NDS tree on the right half of the screen. (See Figure 1.)
To migrate users, groups, or data, you simply select the objects on the left and drag-and-drop them to the desired location on the right. The migration is not actually performed at this point; you are simply building the project file, which is then used to do an offline modeling of the actual migration.
After collecting all of the necessary information about what you want migrated, NetWare Migration Wizard 4.0 simulates the migration and checks for any possible problems before you perform the actual migration. If NetWare Migration Wizard 4.0 detects potential problems, it notifies you and gives you the opportunity to correct the problems before the actual migration occurs. The migration occurs only when you are comfortable that it will be a success.
NetWare Migration Wizard 4.0 is unobtrusive on the Windows NT server being migrated. Because the utility simply reads data from the Windows NT server and then migrates that data to a separate NetWare server, users can continue to use the Windows NT server before, during, and after the migration. You can then retire the Windows NT server after the migration is completed and after you have verified that the migration has been a complete success.
You must run NetWare Migration Wizard 4.0 from a Windows 2000 or NT workstation or server. The application programming interfaces (APIs) necessary to migrate a Windows NT domain are not available on Windows ME, 98, or 95. Novell recommends that you execute NetWare Migration Wizard 4.0 on the Windows NT server being migrated rather than on a workstation. Running this utility on the server that is being migrated is much quicker because the data does not have to be transferred from the Windows NT server to the Windows workstation and then to the NetWare server.
NetWare Migration Wizard 4.0 also requires that the server or workstation be running version 4.71 or higher of Novell Client for Windows NT/2000. To check the version of Novell client that is running on a server or workstation, you right-click the red "N" in the system tray and then click Novell Client Properties.
NetWare Migration Wizard 4.0 also requires that the Windows NT server being migrated is running Windows NT Service Pack 6 or above. The easiest way to verify the version of the Windows NT Service Pack that is installed on a server is to click Start/Run and enter winver.
Finally, the Windows NT server or workstation on which you will run NetWare Migration Wizard 4.0 must be a member of the same domain as the Windows NT server you are going to migrate. In addition, NetWare Migration Wizard 4.0 migrates only servers that are members of a Windows NT domain. You cannot use NetWare Migration Wizard 4.0 to migrate standalone workgroup servers.
You will also require the following permissions to perform the migration:
Write/Modify permissions to the Windows NT domain of which the server you will migrate is a member
Write/Modify permissions to the registry of the Primary Domain Controller (PDC) on the same domain
Read permissions to all folders and files you will be migrating
Read/Write rights to the NDS Organizational Units (OUs) to which you will migrate users
Read/Write rights to the NetWare volume(s) to which you will migrate the Windows NT shares
Before you install NetWare Migration Wizard 4.0, you should ensure that the workstation or server on which you will run this utility has at least 30 MB of free disk space. After NetWare Migration Wizard 4.0 is installed, you must ensure that you have at least 1 MB of free space on the partition in which the TEMP directory is located. You need this space because the user profiles (NTUSER.DAT or NTUSER.MAN) are copied to this TEMP directory before they are copied to the NetWare server.
MIGRATING DOMAIN USERS AND GROUPS
The most logical place to start the migration process is with users. During the migration process, you are asked if you want NetWare Migration Wizard 4.0 to search the NDS tree and match existing NDS users with the domain users you are about to migrate.
NetWare Migration Wizard 4.0 searches the entire NDS tree or portions of the NDS tree (as you instruct it) for users with identical names. If NetWare Migration Wizard 4.0 finds multiple NDS users with the identical name as a domain user, you are given the opportunity to select the NDS account that will be merged with the domain user. As the two accounts are being merged, the existing NDS user properties are not modified.
If domain user accounts do not have corresponding NDS accounts, you may want to set up a template that NetWare Migration Wizard 4.0 can use to create new NDS accounts. To do this, simply use ConsoleOne or the NetWare Administrator (NWADMIN) utility to create a Template object in NDS eDirectory. NetWare Migration Wizard 4.0 prompts you to select the Template object you want to apply to domain users as they are migrated. Remember that pre-existing NDS users' properties will not be overwritten by settings from corresponding domain users, even if the settings are defined in an NDS Template object.
If you want to use one Template object for some users and a different Template object for other users, you can run NetWare Migration Wizard 4.0 as many times as you want and migrate different users using different Template objects. As will be explained later in this article, if you want to copy the Windows NT users' home and profile directories, you must use a Template object.
Migrating domain groups requires a little more planning than migrating users. You will need to understand how domain groups work to make the correct decisions.
As you know, domains have Local and Global groups. You use Local groups to grant access to resources in the same domain as the group. You use Global groups to grant users access to resources in other domains. Because NDS eDirectory has a hierarchical structure, most NDS administrators manage access permissions by assigning access control to OUs, which eliminate the need for Global groups.
Migrating groups has another tricky component: By default, in Windows NT, the Everyone group receives all rights to a folder when that folder is created. The Everyone group itself is not migrated to NDS eDirectory during the migration. If you migrate the Everyone permission, however, the Everyone rights will be assigned to a single NDS OU.
The Everyone rights will be assigned to the OU into which the NT Domain Info object is migrated. (See Figure 1.) The NT Domain Info object contains general information--such as policy packages and the Everyone group permissions--about the Windows NT domain.
MIGRATING FILES, FOLDERS, AND ACCESS CONTROL
As you probably know, you can assign both NT File System (NTFS) and share permissions to the same Windows files and directories. NetWare Migration Wizard 4.0 is aware of both sets of permission and actually migrates both when you migrate a share that also represents an NTFS folder. In this case, NetWare Migration Wizard 4.0 merges the permissions and implements the least restrictive assignments.
NetWare Migration Wizard 4.0 does not migrate permissions that have been assigned to groups or users in trusted domains (domains other than the domain being migrated). You must reassign these permissions.
With NetWare Migration Wizard 4.0, you have the option of migrating just data and not the actual permissions. If you choose this option, you will need to reassign the access permissions to the NetWare file system after the data has been migrated.
Because Windows NT permissions are different than NetWare rights, you should be aware of how they relate. (See "Comparing Windows NT Permissions and NetWare Rights.") For example, if a user has WRITE_OWNER and DELETE permission to a Windows NT file or folder, that user will be given DELETE, and FILE SCAN and ACCESS CONTROL to the corresponding NetWare file or directory.
As you would expect, NetWare Migration Wizard 4.0 allows you to determine what should happen if a duplicate file or folder is found on the NetWare server during the migration. You have three options. (See Figure 2.)
Don't Copy Over Existing Files. If you choose this option, existing files and folders on the NetWare volume will not be overwritten.
Copy the Source File if It Is Newer. If you choose this option, NetWare Migration Wizard 4.0 compares the source and target files or folders and retains the file or folder with the most recent time stamp.
Always Copy the Source File. If you choose this option, NetWare Migration Wizard 4.0 uses the Windows NT file or folders to overwrite the existing file or folders on the NetWare volume.
In most cases, you will want to select the second option to ensure that the most up-to-date data will remain on the NetWare volume after the migration is completed.
TRY BEFORE YOU BUY
Because NetWare Migration Wizard 4.0 simply reads information from the Windows NT server being migrated, the Windows NT server is not affected in any way during the migration. In fact, users can continue to use the server during and after the migration, allowing you to verify that the migration was successful before you retire the Windows NT server.
NetWare Migration Wizard 4.0 makes only one modification to the registry on the PDC. During the migration process, NetWare Migration Wizard 4.0 adds the key HKEY_LOCAL_MACHINE\Software\NetWare\NUW40 to the PDC's registry. Below this key, the utility adds the name of each domain user and group that is migrated with the corresponding NDS username or group name.
Because NetWare Migration Wizard 4.0 makes this registry change, you can migrate users and groups during one migration operation and migrate files and folders with associated permissions during a separate migration operation. You are also given the option to clear this registry change during the migration process. Of course, if you delete the registry settings and need to rerun NetWare Migration Wizard 4.0, the utility will have no record of what was migrated previously. As a result, NetWare Migration Wizard 4.0 would not be able to associate file, rights, and so on with users that had already been migrated.
After you have specified what information you want migrated and how you want it migrated, NetWare Migration Wizard 4.0 performs a verification process. This verification process is a simulated migration during which potential problems can be identified. If NetWare Migration Wizard 4.0 detects potential problems, you have the option to ignore them and proceed with the migration or to correct the problems and restart the verification process. NetWare Migration Wizard 4.0 performs the following checks in the order in which they are listed below:
Verifies that you have read rights to all folders and files that you have selected to migrate.
Verifies that you have read rights to all domain objects you have selected to migrate.
Scans NDS containers into which domain users and groups will be migrated for existing users and groups with identical names.
Identifies any domain users and groups that you have not selected to migrate.
Verifies that you have read rights to the domain users' home and profile directories. (By default, the domain administrator is not given read rights to those directories.)
Verifies that all members of groups being migrated have also been selected for migration. Selecting a group for migration does not automatically select the group members. If the Windows NT server includes Local groups with large numbers of embedded Global groups, the verification process may take a while.
After you have resolved any potential problems that are detected during the verification process, you are ready to actually perform the migration. Up to this point, you have only configured what will be migrated, specified how the migration will occur, and then simulated the migration. Now you are ready to proceed with the migration process, confident that it will be successful.
NetWare Migration Wizard 4.0 migrates objects and data from the Windows NT server to the NetWare server in a specific order. In this way, NetWare Migration Wizard 4.0 guarantees that as the objects are created in NDS eDirectory, any dependencies they may have are met. The objects are migrated in the following order:
New OUs are created in NDS eDirectory.
Domain users are migrated to NDS eDirectory.
Domain Local groups are migrated to NDS eDirectory.
Domain Global groups are migrated to NDS eDirectory.
Domain users' home directories are copied to the NetWare volume.
Domain users' profile directories are copied to the NetWare volume.
Any new directories are created on the NetWare volume.
Selected Windows NT directories and files are copied to the NetWare volume.
You have successfully migrated a Windows NT Server to a NetWare server. The following sections explain the trickier parts of the migration process.
TIPS FOR MIGRATING ROAMING PROFILES
Migrating roaming profiles and users' home directories is the trickiest part of migrating a Windows NT server to NetWare. Because these roaming profiles contain the working environment for roaming users, this part of the migration process is critical. The alternative is receiving help-desk calls from upset users who no longer have shortcuts or their personalized bitmap as wallpaper on their desktop.
Note. User profiles that are stored on a Windows NT 3.51 server are not migrated. The following discussion about migrating user profiles applies only to Windows NT 4.0 servers.
When home and profile directories are created on a Windows NT Server, by default only the corresponding user is given rights to those directories. The domain administrator can see the directories but doesn't automatically receive rights to read any data in those directories. To perform the migration, the domain administrator must be granted rights to read this data.
If you are going to migrate home directories or roaming profiles, you must ensure you have at least the read permission to these home and user profile directories. If you do not already have rights to these directories, getting these rights may not be a trivial task.
Unless all of the users you are going to migrate have corresponding NDS usernames with the home directory property defined, you must create an NDS Template object with the home directory property defined. As mentioned earlier, during the migration, you select a Template object that will be applied to the users as they are created in NDS eDirectory. The home directories, which include the users' roaming profiles, will then be migrated successfully.
After the roaming profiles have been migrated, you will want to define a set of NDS policies to instruct workstations to look for the roaming profile in the user's home directory. You can leverage ZENworks for Desktops to help you. One of the many things you can use ZENworks for Desktops to centrally manage is the location of users' roaming profiles. (You manage the roaming profile configuration through the ZENworks User Policy Package, which is under the Desktop Preferences policy.)
You should install and configure ZENworks for Desktops on the NetWare server before you perform the migration. During the migration, you are given the option to associate the users and groups that are being migrated with ZENworks policy packages. However, NetWare Migration Wizard 4.0 will allow you to select only ZENworks policy packages that were created using ZENworks for Desktops 2. Novell will add support for policy packages created with ZENworks for Desktops 3 to the updated NetWare Migration Wizard later in 2001.
By integrating ZENworks for Desktops, NetWare Migration Wizard 4.0 provides a complete migration solution. When you have completed the migration process, not only will you have migrated Windows NT users, groups, files, and folders to the NetWare server, but you will also have associated these users and groups with the ZENworks policies that control the following:
Available software applications
Installation and configuration of appropriate printers and printer drivers
Installation and configuration of remote control agents
Windows NT, 98, and 95 extensible policies
Windows 2000 group policies
Local 2000 and NT workstation user accounts
WHAT ABOUT PASSWORDS?
You probably want to know if NetWare Migration Wizard 4.0 migrates the users' passwords for the Windows NT domain. The answer is no because these passwords are stored in the domain with a hash (MD4) that cannot be reverse encrypted.
If you have used the Novell Account Management product (formerly known as NDS for NT), you know this product synchronizes the NDS and the Windows NT domain passwords. You may wonder how this product synchronizes these passwords if they are stored in a format that cannot be reverse encrypted.
Novell Account Management installs a service on the PDC. When a user changes his or her domain password, the password is sent from the workstation to the server in a format that can be reverse encrypted. This service reverse encrypts the new password and then writes it to both the domain and NDS eDirectory. After the password has been written to the domain, however, you cannot unencrypt that password.
Because the existing domain passwords cannot be migrated automatically, NetWare Migration Wizard 4.0 gives you three options. With all three options, NetWare Migration Wizard 4.0 sets passwords so that they expire on the first user login, and NDS eDirectory forces users to change their password. (See Figure 3.)
Assign the same password to all users. You can leave the domain password blank or enter any combination of characters you choose. This option is the simplest but least secure.
Assign a random password to all users. NetWare Migration Wizard 4.0 randomly generates a password for each user as the user is migrated. The passwords are written to a file with a _OUT.TXT extension. (NetWare Migration Wizard 4.0 includes one mistake; it says the passwords are written to the success log when in fact they are not.)
Read passwords from a file. If you can determine the password of every user in the domain, you can create a text file that contains these passwords. NetWare Migration Wizard 4.0 can then use this text file during the migration. (For information about formatting this text file, visit www.novell.com/documentation/lg/migwiz/docui.)
IMPORTANT POINTS TO REMEMBER
Migrating a server can be a nail-biting experience. To help you successfully migrate your company's Windows NT server to NetWare, you should keep in mind the following:
If the domain user or group already exists in NDS eDirectory, none of the existing NDS user or group properties will be overwritten.
If you want to migrate home directories, you must create an NDS Template object with the home directory attribute defined.
If usernames include invalid NDS characters, such as the period (.), these characters will automatically be replaced with the underscore (_) during the migration.
Domain login scripts are not migrated.
The passwords of all migrated users will be set to expire on the next login. The next time users log in to NDS eDirectory, they will be prompted to change their password.
If a domain user does not have an expiration date defined, the account will be set to expire in 365 days.
The Windows NT domain information that corresponds to the NDS Intruder Detection information is only migrated to NDS OUs that are created during the migration. On a Windows NT server, this information is set in a domain-wide basis.
NetWare Migration Wizard 4.0 provides a simple and risk-free solution to migrate Windows NT servers to a NetWare server. Because NetWare Migration Wizard 4.0 does not make any modifications to the Windows NT server being migrated, your company's data is safe even if a power outage or some other problem interrupts the migration process.
You do not have to be a Windows NT expert to use NetWare Migration Wizard 4.0. If you can drag-and-drop Windows objects, you can migrate a Windows NT server to a NetWare server.
For more information about NetWare Migration Wizard 4.0, check out the following resources:
Visit the NetWare Migration Wizard 4.0 home page at www.novell.com/products/migrationwizard.
Read the online documentation for NetWare Migration Wizard 4.0 at www.novell.com/documentation/lg/migwiz/docui.
Read the step-by-step overview of the entire migration process. This overview was written by the engineer who wrote the utility at http://support.novell.com/techcenter/articles/ana20000903.html. The downloadable PDF file includes screen shots of almost every dialog that appears during the migration.
Brad Anderson is the ZENworks business unit manager for Novell. As such, he manages the ZENworks engineering, product management, and product marketing teams. Anderson was the first product manager of ZENworks for Desktops and has worked for Novell for nine years.
Comparing Windows NT Permissions and NetWare Rights
DELETE and FILE SCAN
ACCESS CONTROL and FILE SCAN
ACCESS CONTROL and FILE SCAN
FILE SCAN and READ
ACCESS CONTROL and WRITE and CREATE and MODIFY
FILE SCAN and READ
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.