Migrating network from NT4 to 2003

I am having an error posting to Windows Server 2003 Setup Newsgroup for some
reason..

I am performing some research on this migration and am uncertain of a
particular thing:

We're moving from a Windows NT4 Domain to a new Windows Server 2003 domain.
The NT4 Server does not have the specs to handle server 2003, and I'd like to
leave it 'as-is' in case of a problem.

So, we'll be replacing this NT4 server with a new 2003 domain controller. I
found that the ADMT will be needed to move the user accounts over.

Here is my question: Since this will technically be a NEW domain, will the
PCs need to be unjoined from the NT4 domain and joined to the new domain? If
so, since we're using ADMT, will the users' current profiles be untouched
when they log into the new domain? I'm just curious as to why the ADMT would
be preferred over just building a new domain from scratch. Can someone
please help me?

PM


PM

The ADMT will "move" the Machines and the Users/Groups/Permissions to the
new domain and disable the old accounts on the NT domain as it does it so
that users won't log into the wrong one and screw up the user profile after
the move. It is VERY important that the user log into the new Domain
correctly the FIRST time. If they don't I have seen the user profiles get
screwed up and the machine creates a new one instead of using their original
one.

The SID History is copied to the new domain so that user's SIDs (both old
and new) are recognized by the new domain. This is how the Profile and File
share permissions are maintained.

Leave the old domain running for a few days.

Wait a day or so, run the ADMT to remove the SID History.

Wait another day or so to see if everything is still workng Ok,...then
remove the Domain Trust.

Wait another day (just to be safe) and assure all replication is completed
after the Trust is gone,...then power down the old domain and consider it
"gone".

Learn/know the ADMT documentaion very very well,....because I am sure I
probably forgot something I should have told you...that I'll remember
later.. :-)


Personally, I might do it differnetly. The way I suggest below will cause
no inconvenience to the user,..there will be less cleanup,...and it will
actually still be the same Domain and not a new Domain,...which means there
is almost no chance of permissions or profile problems.

First make full backups ot the original PDC,...maybe even Ghost images or
some other Driving imaging tool. Then.....

1. Fine a simple PC powerfull enough to at least run Server 2003. It
doesn't have to run fast,...it just has to run. Borrow one,..steal
one,...whatever,...it is only temporary.

2. Load NT40 on the PC as a BDC

3. Promote the BDC to a PDC,...which should cause your oringinal existing
PDC to demote to a BDC. Then remove the BDC (original server) from the
domain the same way you would correctly remove any BDC from an NT40 domain.
You can always restore it from the "image" I mentioned above if something
goes wrong.

4. Now install Server2003 "over the top" of the NT40. Now you have a
Windows 2003 Domain,...sort of...

5. Raise the Domain Functional Level to "Native Server 2003 Mode". Now you
have a real Windows 2003 Domain.

6. Build/Load the new server with the new Server 2003 and join it to the
Domain as a Member server. Be sure that DNS is installed on it. Then run
"DCPromo" to promote it to a Domain Controller of an "existing Domain". You
may have to manually make the new DC a Catalog Server.

7. Run DCPromo on the Temp DC and demote it down to a member server. The
FSMO Roles should automatically transfer during the Demotion. Now remove it
from the Domain.

8. Basically all done,...the users never knew anything happened.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



"PM" <(E-Mail Removed)> wrote in message
news:F0E6DA93-3ECE-4821-8117-(E-Mail Removed)...
>I am having an error posting to Windows Server 2003 Setup Newsgroup for
>some
> reason..
>
> I am performing some research on this migration and am uncertain of a
> particular thing:
>
> We're moving from a Windows NT4 Domain to a new Windows Server 2003
> domain.
> The NT4 Server does not have the specs to handle server 2003, and I'd like
> to
> leave it 'as-is' in case of a problem.
>
> So, we'll be replacing this NT4 server with a new 2003 domain controller.
> I
> found that the ADMT will be needed to move the user accounts over.
>
> Here is my question: Since this will technically be a NEW domain, will
> the
> PCs need to be unjoined from the NT4 domain and joined to the new domain?
> If
> so, since we're using ADMT, will the users' current profiles be untouched
> when they log into the new domain? I'm just curious as to why the ADMT
> would
> be preferred over just building a new domain from scratch. Can someone
> please help me?
>
> PM

Thanks Phillip. I plan on researching ADMT in detail this weekend. I have a
quick follow-up question, however.

Basically, to migrate the workstations at the company, do we simply UNJOIN
them from the current domain, and JOIN them to the 'new' domain? Then, log
in as the user's account, which was of course migrated?

I'm just trying to picture how the process works at the individual
workstations.

Thanks!
PM

"Phillip Windell" wrote:

> The ADMT will "move" the Machines and the Users/Groups/Permissions to the
> new domain and disable the old accounts on the NT domain as it does it so
> that users won't log into the wrong one and screw up the user profile after
> the move. It is VERY important that the user log into the new Domain
> correctly the FIRST time. If they don't I have seen the user profiles get
> screwed up and the machine creates a new one instead of using their original
> one.
>
> The SID History is copied to the new domain so that user's SIDs (both old
> and new) are recognized by the new domain. This is how the Profile and File
> share permissions are maintained.
>
> Leave the old domain running for a few days.
>
> Wait a day or so, run the ADMT to remove the SID History.
>
> Wait another day or so to see if everything is still workng Ok,...then
> remove the Domain Trust.
>
> Wait another day (just to be safe) and assure all replication is completed
> after the Trust is gone,...then power down the old domain and consider it
> "gone".
>
> Learn/know the ADMT documentaion very very well,....because I am sure I
> probably forgot something I should have told you...that I'll remember
> later.. :-)
>
>
> Personally, I might do it differnetly. The way I suggest below will cause
> no inconvenience to the user,..there will be less cleanup,...and it will
> actually still be the same Domain and not a new Domain,...which means there
> is almost no chance of permissions or profile problems.
>
> First make full backups ot the original PDC,...maybe even Ghost images or
> some other Driving imaging tool. Then.....
>
> 1. Fine a simple PC powerfull enough to at least run Server 2003. It
> doesn't have to run fast,...it just has to run. Borrow one,..steal
> one,...whatever,...it is only temporary.
>
> 2. Load NT40 on the PC as a BDC
>
> 3. Promote the BDC to a PDC,...which should cause your oringinal existing
> PDC to demote to a BDC. Then remove the BDC (original server) from the
> domain the same way you would correctly remove any BDC from an NT40 domain.
> You can always restore it from the "image" I mentioned above if something
> goes wrong.
>
> 4. Now install Server2003 "over the top" of the NT40. Now you have a
> Windows 2003 Domain,...sort of...
>
> 5. Raise the Domain Functional Level to "Native Server 2003 Mode". Now you
> have a real Windows 2003 Domain.
>
> 6. Build/Load the new server with the new Server 2003 and join it to the
> Domain as a Member server. Be sure that DNS is installed on it. Then run
> "DCPromo" to promote it to a Domain Controller of an "existing Domain". You
> may have to manually make the new DC a Catalog Server.
>
> 7. Run DCPromo on the Temp DC and demote it down to a member server. The
> FSMO Roles should automatically transfer during the Demotion. Now remove it
> from the Domain.
>
> 8. Basically all done,...the users never knew anything happened.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>
> "PM" <(E-Mail Removed)> wrote in message
> news:F0E6DA93-3ECE-4821-8117-(E-Mail Removed)...
> >I am having an error posting to Windows Server 2003 Setup Newsgroup for
> >some
> > reason..
> >
> > I am performing some research on this migration and am uncertain of a
> > particular thing:
> >
> > We're moving from a Windows NT4 Domain to a new Windows Server 2003
> > domain.
> > The NT4 Server does not have the specs to handle server 2003, and I'd like
> > to
> > leave it 'as-is' in case of a problem.
> >
> > So, we'll be replacing this NT4 server with a new 2003 domain controller.
> > I
> > found that the ADMT will be needed to move the user accounts over.
> >
> > Here is my question: Since this will technically be a NEW domain, will
> > the
> > PCs need to be unjoined from the NT4 domain and joined to the new domain?
> > If
> > so, since we're using ADMT, will the users' current profiles be untouched
> > when they log into the new domain? I'm just curious as to why the ADMT
> > would
> > be preferred over just building a new domain from scratch. Can someone
> > please help me?
> >
> > PM
>
>
>

"PM" <(E-Mail Removed)> wrote in message
news:25D955AE-FA2A-41C1-A1B1-(E-Mail Removed)...
> Thanks Phillip. I plan on researching ADMT in detail this weekend. I
> have a
> quick follow-up question, however.
>
> Basically, to migrate the workstations at the company, do we simply UNJOIN
> them from the current domain, and JOIN them to the 'new' domain? Then,
> log
> in as the user's account, which was of course migrated?

No. The ADMT moves them and reboots them automatically. Once it comes back
up the user needs to change the third line to the new domain name (old one
is still there) and log into the new domain. That's way the ADMT has the
option to disable the original account so they don't log in the wrong way
when it boots up.


If you use the second method I described you won't have to worry about it at
all because there is *no* migration because there is no new domain. It
remains the same old domain all the way through the process. Nothing
changes on the Client, no domain changes, no reboots, no nothing. The only
reboots are on the DCs a couple times.

I would much rather "upgrade" a domain rather than create a new one and have
to migrate everything to it. No matter how careful you are and no matter
how good a job ADMT does there always seems to be days worth of clean up and
"trouble calls" from users because of "strange things" that just don't seem
to work right until you poke around on them a bit. I just did ours with
ADMT because a new domain was required in our situation. It took one week to
do and two weeks of babysitting afterwards, with odd things like,.... no one
could authenticate properly to the Proxy Server until I went around to
*every* machine and ran "ipconfig /release" then "ipconfig /renew".
Rebooting the machine wouldn't work and letting the DHCP lease expire
wouldn't do it,...it only worked correctly after a manual "ipconfig
/release" then "ipconfig /renew". I had MS on the phone at the time,...even
they couldn't explain it,...although it was their idea to try it because
they have "seen it before".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------