Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Ex-Bay Networks CEO: Nortel's enterprise group could do well on its own
Net neutrality advocates score big win with broadband stimulus rules
Security guard charged with hacking hospital systems
Cisco looks to accelerate virtualization deployments
Apple patching serious SMS vulnerability on iPhone
Could Cisco take on Microsoft with office app service?
Nortel enterprise data chief wants to bring back Bay Networks
Government releases $4 billion in broadband stimulus funds
Why the iPhone can't be 'killed'
IBM bundles x86 servers with VMware, offers special financing
Users note virtualization foot-dragging among app vendors
Five slick search engines you should know about
FTC opens all out assault on economic cyber-scammers
Happy birthday! The Walkman turns 30
Cisco won't take on Amazon in cloud
NOSes /

Migration migraines

Moving from Windows NT domains to Active Directory is never simple, even with the four products we tested that are supposed to ease the pain. By Dennis Williams
Network World, 01/29/01

If you're not concerned about the magnitude of the task required to migrate to Active Directory, you probably don't run Windows NT. But the reality is that if you're planning a migration, don't plan to take any time off soon.

Four firms offer tools that can help you make the transition from an NT 4.0 domain-based network to Windows 2000 Active Directory. These third-party products are Aelita Software's Controlled Migration Suite, BindView's bv-Admin for Windows 2000 Migration, FastLane Technologies' DM/Manager and NetIQ's Domain Migration Administrator (DMA).

How we did it
Interactive Scorecard and NetResults
Archive of Network World reviews
Subscribe to the Product Review e-mail newsletter

In our tests, two of these stood out as having the best tools for performing a migration: NetIQ's DMA and BindView's bv-Admin. While neither product won the Network World Blue Ribbon award, as we did not feel they were outstanding, they did provide adequate tools for migrating to Win 2000. NetIQ's and BindView's products were the easiest to use. We knew where we stood in the migration process and what had to be done next. This also translates to speed - not in how fast the code works but in how quickly you can get from NT 4.0 domains to Active Directory.

However, if there's one word to describe our experience with these products, it's "confusion." Each vendor is guilty to varying degrees of leading users all over the place, providing a multitude of tools tied together by only a 6-inch stack of documents.

Despite their collective flaws, these products have come a long way since last year when we compared them. Last year Aelita won the honors as being the best migration tool, but fell behind this year due to its lack of a cohesive interface. Aelita's tools have improved, but have been surpassed in terms of ease of use.

NetIQ DMA

As our scorecard reflects, NetIQ's DMA - a component of the company's OnePoint Windows NT and 2000 management suite - isn't perfect, but it is our tool of choice in this case. Our test migration went quickly and without problems. First we noticed its easy installation and clean interface. You don't need to go back and forth between applications because the functionality is accessible through the main DMA screen. It also put modeling in the foreground, making it part of the product database. DMA was the most straightforward, easy to use and complete migration tool we tested. It offered a full set of features and tools for handling the many other tasks that accompany a migration. Larger companies will appreciate DMA's project-based migration tracking, migration modeling, and clean and pristine migration method.

So what didn't we like about DMA? Not much, other than it is still very modularized, requiring you to purchase different applications to accomplish a complete migration. We would like to purchase one package and perform an entire migration from a single interface. NetIQ required three applications to complete the migration.

The first utility we used from the OnePoint suite was Chariot for Active Directory, which determines whether your network can handle Active Directory. It simulates network traffic that will occur in your environment due to Active Directory and helps you pinpoint bottlenecks to understand what kind of bandwidth you'll need. We identified server hardware and which machines were capable of running Win 2000, and to stress-test lines to distributed locations to make sure Active Directory had enough bandwidth to properly replicate.

We then used DMA to look at our domains and identify their structures and pinpoint clutter. We could locate what service accounts were in use in our domains, what machines were using these service accounts, and what user and group memberships looked like. This tool also identifies what user accounts are disabled or expired, and which accounts haven't logged on for a while and should be disabled before migration. We pinpointed which disabled user accounts and even some groups we didn't want to migrate over into Active Directory. This last point is crucial because you don't want to bring the clutter of your old domain over to Active Directory.

Server Consolidator is a utility that helps facilitate the movement of files and corresponding permissions for NT servers to one data center server. You can use this in a test mode to verify that the prerequisites are met, such as whether the target server has enough disk space to accommodate the consolidation. This tool helped us discover that we needed more disk space on our target server.

When you start selecting user accounts, groups and printers to migrate, DMA lets you test the migration in its database before you put it into Active Directory. Modeling the migration helps to discover problems ahead of time. If you discover errors after performing the migration, you can roll back those changes, fix the problem and complete the migration. Some migration tasks can be scheduled and automated to run during off-peak hours or overnight. DMA also lets you exclude disabled and expired accounts, so you can prevent these from being migrated. You can generate reports in HTML, and they show the results of the migration.

DMA does the assessment, the directory migration, the resource permissions migration, and it renames the computer. It is fast at reACLing, and covers ownership settings on files, auditing settings on files, remote computer rename, and reboot and modeling. ReACLing refers to Microsoft's Access Control List, where user security rights are stored. ReACLing (pronounced re-ack-ling) is an important step during a migration from an NT domain to Win 2000 because this is where access rights are migrated. You must reACL so users in your newly created directory have access to the same resources (files) they did in the domain prior to the migration. If you want to roll back a portion of the migration, DMA has an undo migration task wizard that lets you roll back specific objects, such as a user account, a reACLing process, or an entire organizational unit.

After the migration is complete, you must make sure Active Directory is healthy and available. This ongoing management is accomplished with the file and storage administrator utility. It monitors the health of Active Directory and makes sure domain controllers are replicating correctly. It also lets you implement security policies for files, such as locating MP3 files and taking a predefined action such as deleting, moving or setting the ACL to deny access to those files.

Another product from NetIQ, the Directory and Resource Administrator, provides Active Directory content control capabilities. It lets you automate mundane tasks such as creating user accounts in different software applications such as human resources, database and e-mail when a new user account is created in Active Directory. It doesn't offer any additional management capabilities; it just automates what you can already do manually. And because this product is separate, you must purchase it in addition to DMA.

BindView bv-Admin 3.6 for Win 2000

BindView entered the Active Directory migration market in February 2000 via its acquisition of Entevo. While the company has done little to update Entevo's programs to reflect their name changes, the products do round out BindView's Win 2000 migration offering, as BindView already had technologies to query the entire NT infrastructure and discovery tools for hardware and software inventory. We really liked BindView's simple approach to migration. It was easy to understand and use, and it only fell slightly behind NetIQ due to its migration speed. Although we don't feel migration speed is something we want to pin a grade on, BindView's DirectMigrate was noticeably slower than the other migration tools in this review - as much as twice as slow. But where it lacks speed, we give it kudos for simplicity.

BindView uses a three-phase approach to migration. The first phase is to discover, analyze and assess objects on the network. For this you use a tool called bv-Control, which provides query-based reporting on your environment. You ask it plain English questions and it queries the entire network to find results. We performed a query to discover how many user accounts hadn't been logged in for six months.

The second phase in the BindView process is to clean up, model and migrate. For these tasks, you use bv-Admin, which provides tools to do a majority of administrative tasks across platforms and directories. It lets you look at Microsoft Exchange, NT and now Active Directory. We liked bv-Admin for managing the NT domain and Active Directory. While we don't use Exchange, bv-Admin will make the migration and integration tasks easier for those who do.

The last phase is to deploy and manage. Last year when we looked at Entevo's DirectMigrate (now bv-Admin), it was one big wizard. Now there's a new interface with tasks broken down into projects. There are projects to consolidate NT and projects to migrate to Active Directory. Bv-Admin also contains migration utilities and separate breakouts for things such as password copy, the ability to migrate resources and an autopopulate utility that is useful for in-place upgrades. We liked its new, well-organized layout: It made sense and put each utility at our fingertips.

Bv-Admin's main function is to set up delegation over NT domains, but in a migration scenario you can use its organizational unit structures as a way to logically break up all the objects on the NT side you want to migrate. The organizational unit structures created in NT can be used to segment your various users, groups, computer accounts and resources. This lets you create organizational units and have them contain the various objects, which then become the source for the actual migration. This scenario makes it easy to take the hierarchical structure in an NT domain and migrate it in one easy step to Active Directory.

Another utility included with bv-Admin is Account Activator. It is a Web-based application that gives you a manageable process to move users to Active Directory, activate their new accounts and deactivate their old accounts. It e-mails the users to tell them of the transition and instructs them to create a new password, and if there's a new domain name to use.

For domain consolidation, bv-Admin lets you select objects from multiple domain sources so you can migrate on the fly without having to consolidate domains. We found this minimizes the number of steps in the migration process. You can migrate a user, create the user account and update the attributes in one step.

FastLane DM/Suite

FastLane's product is an example of a myriad of disparate tools that can easily confound the user. The installation CD contains a dozen folders with different utilities set up for different purposes. All of these must be installed separately. The main program for the migration is DM/Manager, which handles migration tasks in addition to pruning and grafting, and requires repetitive moves from domain to domain or organizational unit to organizational unit. You can use a wizard for a step-by-step migration approach, or use an Explorerlike interface that offers a full preview list and lets you drag and drop objects from one domain to another. No matter which interface you prefer, both use a central database - the migration repository. This repository is a centralized database used by all the FastLane utilities to track the migration progress.

DM/Manager is positioned for large (greater than 1,000 users) geographically dispersed enterprise networks. This is the size where you'll see the benefits of centrally tracking all migration information in the DM/Manager Migration Repository. The database lets you track all the user and group migrations regardless of where they're coming from so you always know that the objects have been migrated. The repository is also the glue that lets all the disparate utilities and management consoles included in DM/Suite work together. One benefit of the repository approach is it can help you maintain your service-level agreements and lets you update the resources using a client's consolidated list of accounts.

DM/Administrator is a product for NT 4.0 networks that lets you create a model directory structure before performing the migration. If you like the model, you can use it to perform the actual migration on Active Directory.

To undo migrated objects, you simply use the undo pull-down option in DM/Manager. This gives you a full list of all migrated accounts. You can then select any accounts you need to have backed out of the migration. All ACL updating is nondestructive and allows for both accounts to have access to everything, including file services, workstation profiles and Exchange mailbox information. This is helpful for parallel migrations in which you run Active Directory and NT domains. We used the undo feature several times in our testing and it never failed us.

DM/Mover is for domain controllers and lets you take a snapshot of the settings on a domain computer before you move it into a new Active Directory domain. If you did a native upgrade, through the Windows Upgrade CD on a Domain Controller or BDC, you would lose all local group information, access controls and share points. DC/Mover lets you preserve those settings. So after you reinstall the operating system, you can use it to reapply the information so the shares are the same with the new server as they were with the old.

The most recent and significant addition to the FastLane suite is a feature called Active Roles, which provides role-based administration within Active Directory. The problem with Active Directory is there are so many objects and object attributes that being able to manage them across a firm is impossible. Active Roles lets you logically bundle native settings in Active Directory. You can create managerial groupings for human resources to change personal settings or create one help desk group to reset passwords and another help desk group to change group memberships. Active Roles supports all objects and attributes in Active Directory, letting you build role-based administration over anything. But it's especially useful in helping enforce permissions over assigned organizational units.

FastLane provides documentation for its DM products. The documentation is well-organized, in that if you're working in DM/Administrator there is a booklet just for that product. But where it falls short is in providing some sort of manual that ties it all together.

Aelita Controlled Migration Suite

The Domain Migration Wizard (DMW) is the main piece of this suite. It is designed for large corporate networks with thousands of users. But the implementation strategy is unclear, and the product documentation is confusing. In last year's review, Aelita's product received the highest marks because it offered the most complete package. But we found ourselves thinking that we'd need a support representative on-site if using this tool on a production network.

DMW uses a wizard, which comprises a handful of applications that use a centrally managed database. Because it is database-driven, you can undo undesirable changes. The DMW Project Manager tracks the migration so you know what has been done. It lets you work on multiple migration projects, but only one at a time. We found this to be a disadvantage for large companies that delegate migration responsibilities.

We used DMW to collect information from the network, which was stored in the central database. We then selected the user accounts and groups we wanted to migrate to Active Directory. DMW knows what objects you've already migrated because this is stored in the database. You can automate this process by providing DMW with lists of users you want to migrate. There is no automated way to skip disabled accounts, which is a fault in this product. Before the migration takes place, you can rename users and groups to eliminate duplicate accounts. Once the migration process begins, you can stop it at any time and resume it later. Or if you don't like the results of a migration or made a mistake, you can undo it and go back to the original domain.

There are four steps to follow with the domain migration wizard. The first is to select the source and target domains. A list is displayed showing the domains you can choose from. The wizard then analyzes the two domains and lets you choose which users and groups you want to migrate. You can specify what actions to take if duplicate user and group names are encountered. The next step is the actual migration of users and groups, followed by the domain migration reports window, where you can view the report of the migration.

Another important utility is the DMW Data Mover. This helps you consolidate data on your servers where the user and group information have been consolidated. The Data Mover requires a management console, a hub which is a computer running the Data Mover agent software, and source and target data locations. You can then synchronize data directories. During server consolidation and data migration with DMW Data Mover, we installed hubs on target computers to eliminate more hops the data would have to travel during synchronization. The goal is that users not notice their data has been physically moved. This was a slick feature in our estimation.

Other capabilities of DMW include the ability to consolidate multiple older servers into fewer newer and more powerful servers. You can also migrate cluster servers. And there's a Trust Migration Wizard for transferring trust relationships. If that's not enough, there's a scripting language that lets you customize these utilities for your situation.

The Delegation Manager piece provides ongoing management capabilities, but only offers limited capabilities. It runs on Win 2000, but can only manage a few of the objects in the directory schema. The reason this product's management capabilities have slipped is the firm is working on a new product to replace it - Directory Manager, which should be available in a few months. This will provide more complete management of directory properties.

DMW offers many capabilities for large and small nets, but its lack of cohesiveness left us floundering. We took more time using this product than any other in this review. Half the time was spent digging through the manuals.

Each product in this review does a good job of migrating NT domains to Win 2000 Active Directory. We performed successful migrations with each one and gained confidence with them all, although that confidence came quicker with some than others. But NetIQ's was the most polished and ready for the masses. BindView's was also an outstanding product with strong management capabilities. With FastLane and Aelita, we often felt like we were beta-testing products that had functional components, but weren't yet completely glued together.

RELATED LINKS

Williams is the director of ProductReviews.com in Alpine, Utah. He is a product improvement consultant, usability shrink and freelance writer. He can be reached at Dennis@ProductReviews.com.


NW Test Alliance

Global Test Alliance

Williams is also a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Test Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.

Webcast: Win2K Migration: Is it time for you to move to Windows 2000?
Sign up for our Feb. 9th virual showdown to find out.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.