WinNT4 to Join "Windows 2003 DC" {Very Important Please}

Hello All;

For the last 7yrs I have been using my faithful Windows NT4 server as my
DC in the Network.
Now that my company is starting to grow, I have built another system Running
Windows 2003 Server and I have given it the Role of being the DC in the
Network.
During this transition everything went so smoothly with all the
Windows 2000 Pro. Systems
& the other Windows 2003 Ent. Server.
But none of the Windows NT4 servers seem to want to join the new 2003 DC.

The NT4 server that use to be the PDC I have to reinstall the system in
order to join
The 2003 DC.
So during Install, I get to the "Start Networking"
I choose to be a "Stand Alone Server" And try to join the DC.
(or)
I choose to be a "Backup Server" and try to join the DC
And on both I receive the following Error:

( I am writing this message by memory, so I hope that it is correct )
=============================================
Cannot find the Domain Controller for this Domain. Make sure that
You have typed your Username and Password correctly and try again
=============================================

On the other WinNT4 servers, that use to be BDC's I have already demoted
them to be
Workstations, so that I could have them ready for the migration into the new
2003 Server DC.
But when I try to logon to the new DC with them, I receive the following
error:

=============================================
The local policy of this system does not permit you to logon interactively
=============================================

I tried the following on the above error:

"ntrights -m \\YourServer -u <group or user> -r
SeDenyInteractiveLogonRight" // To Remove
"ntrights -m \\YourServer -u <group or user> +r SeInteractiveLogonRight" .
// To Add

But neither of these would work. I would get an error, but cannot remember
the error right of the bat.



Can someone please let me know how to join the NT4 Servers into the 2003 DC.
Please, this is very important!

Thank you all
Wayne

you may want to install WINS server. quoted from
http://www.howtonetworking.com/mixednet.htm
NetBIOS and WINS are required in a mixed network
NetBIOS and WINS name resolution is required only on mixed-mode (Windows 95,
98, Me, NT, 2000 and XP) networks to provide backward-compatibility older
versions of Windows. If you have a domain mixed-mode network with DHCP and
DNS, you are better to cerate WINS in your system. In workgroup mixed-mode
network, most people enable NetBIOS over TCP/IP to resolve NetBIOS name to
equivalent to IP addresses. Alternatively, you can install NetBEUI protocol
in the clients.
--
For more and other information, go to http://howtonetworking.com.


Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on
http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
"Wayne" <(E-Mail Removed)> wrote in message
news:OuC%(E-Mail Removed)...
> Hello All;
>
> For the last 7yrs I have been using my faithful Windows NT4 server as my
> DC in the Network.
> Now that my company is starting to grow, I have built another system
> Running
> Windows 2003 Server and I have given it the Role of being the DC in the
> Network.
> During this transition everything went so smoothly with all the
> Windows 2000 Pro. Systems
> & the other Windows 2003 Ent. Server.
> But none of the Windows NT4 servers seem to want to join the new 2003 DC.
>
> The NT4 server that use to be the PDC I have to reinstall the system in
> order to join
> The 2003 DC.
> So during Install, I get to the "Start Networking"
> I choose to be a "Stand Alone Server" And try to join the DC.
> (or)
> I choose to be a "Backup Server" and try to join the DC
> And on both I receive the following Error:
>
> ( I am writing this message by memory, so I hope that it is correct )
> =============================================
> Cannot find the Domain Controller for this Domain. Make sure that
> You have typed your Username and Password correctly and try again
> =============================================
>
> On the other WinNT4 servers, that use to be BDC's I have already demoted
> them to be
> Workstations, so that I could have them ready for the migration into the
> new
> 2003 Server DC.
> But when I try to logon to the new DC with them, I receive the following
> error:
>
> =============================================
> The local policy of this system does not permit you to logon interactively
> =============================================
>
> I tried the following on the above error:
>
> "ntrights -m \\YourServer -u <group or user> -r
> SeDenyInteractiveLogonRight" // To Remove
> "ntrights -m \\YourServer -u <group or user> +r SeInteractiveLogonRight" .
> // To Add
>
> But neither of these would work. I would get an error, but cannot remember
> the error right of the bat.
>
>
>
> Can someone please let me know how to join the NT4 Servers into the 2003
> DC.
> Please, this is very important!
>
> Thank you all
> Wayne
>
>
>

\ Hello Robert;
and thank you very much for the link and information.
As it gave me a starting point, to finding some more information
on this issue.

I found this link
http://www.tek-tips.com/viewthread.c...=982783&page=1

With this information here:
===========================================
In order for any computer belonging to a Windows 2000 or Windows 2003 domain
to function properly, they must all be configure to use your Internal
Windows DNS servers. This is a change from NT 4.0 to Windows 2000 and
higher domains.
===========================================

So this tells me that I need to configure the DNS on the 2003 Server.
To be the Internet DNS Server for the Network.
OK
Could you or someone else please send me some information on how to
Start this?
I have only set up DNS for Domain.Com's never have I set up DNS for
Internal Use. So I am at a loss.

I am doing some searching through Google. To see if I can find information
on it as well.

After I get the Internal DNS Working, I will then work with the WINS Server
Part of it as well.
So I am open to all suggestions that anybody and everybody can assist me
with.

Thank you once again Robert.

Wayne

Have you installed the latest service pack on the NT Server before joining
the domain? I seem to remember needing at least SP 3 or 4, can't remember
which

"Wayne" <(E-Mail Removed)> wrote in message
news:OuC#(E-Mail Removed)...
> Hello All;
>
> For the last 7yrs I have been using my faithful Windows NT4 server as my
> DC in the Network.
> Now that my company is starting to grow, I have built another system
Running
> Windows 2003 Server and I have given it the Role of being the DC in the
> Network.
> During this transition everything went so smoothly with all the
> Windows 2000 Pro. Systems
> & the other Windows 2003 Ent. Server.
> But none of the Windows NT4 servers seem to want to join the new 2003 DC.
>
> The NT4 server that use to be the PDC I have to reinstall the system in
> order to join
> The 2003 DC.
> So during Install, I get to the "Start Networking"
> I choose to be a "Stand Alone Server" And try to join the DC.
> (or)
> I choose to be a "Backup Server" and try to join the DC
> And on both I receive the following Error:
>
> ( I am writing this message by memory, so I hope that it is correct )
> =============================================
> Cannot find the Domain Controller for this Domain. Make sure that
> You have typed your Username and Password correctly and try again
> =============================================
>
> On the other WinNT4 servers, that use to be BDC's I have already demoted
> them to be
> Workstations, so that I could have them ready for the migration into the
new
> 2003 Server DC.
> But when I try to logon to the new DC with them, I receive the following
> error:
>
> =============================================
> The local policy of this system does not permit you to logon interactively
> =============================================
>
> I tried the following on the above error:
>
> "ntrights -m \\YourServer -u <group or user> -r
> SeDenyInteractiveLogonRight" // To Remove
> "ntrights -m \\YourServer -u <group or user> +r SeInteractiveLogonRight"
..
> // To Add
>
> But neither of these would work. I would get an error, but cannot remember
> the error right of the bat.
>
>
>
> Can someone please let me know how to join the NT4 Servers into the 2003
DC.
> Please, this is very important!
>
> Thank you all
> Wayne
>
>
>

Hi Wayne.

The following links might help.

http://support.microsoft.com/default...en-us%3B291382
http://support.microsoft.com/default...b;en-us;300202 --- see part
on root hints and forwarders

"Wayne" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>\ Hello Robert;
> and thank you very much for the link and information.
> As it gave me a starting point, to finding some more information
> on this issue.
>
> I found this link
> http://www.tek-tips.com/viewthread.c...=982783&page=1
>
> With this information here:
> ===========================================
> In order for any computer belonging to a Windows 2000 or Windows 2003
> domain
> to function properly, they must all be configure to use your Internal
> Windows DNS servers. This is a change from NT 4.0 to Windows 2000 and
> higher domains.
> ===========================================
>
> So this tells me that I need to configure the DNS on the 2003 Server.
> To be the Internet DNS Server for the Network.
> OK
> Could you or someone else please send me some information on how to
> Start this?
> I have only set up DNS for Domain.Com's never have I set up DNS for
> Internal Use. So I am at a loss.
>
> I am doing some searching through Google. To see if I can find information
> on it as well.
>
> After I get the Internal DNS Working, I will then work with the WINS
> Server
> Part of it as well.
> So I am open to all suggestions that anybody and everybody can assist me
> with.
>
> Thank you once again Robert.
>
> Wayne
>
>
>

The Web Server is the only NT4 that I have reinstalled out of the "4" That
we have.
And once I did all the SP's to 6a. It joined the Domain so Sweetly.
And is right now a member and logged on as such.
So that is one thing that is out of the way.
So now I know that you cannot Join a 2003 Domain until the SP's are
installed.
================================================== =======

But this is a problem for the other Servers.
When I installed them, and during the Network Setup.
I joined the NT4 Domain that was in place for the last 7yrs.
Now that they are already running on the "Domain" which is the OLD Domain
(The 2003 DC is using the same exact Domain.name that we have always used)
Since this is the case, the old servers cannot jump into a WorkGroup,
And then become Members that way. So they are currently stuck with
Logging on as "Administrator" for the Domain.

Since these NT4's joined the OLD NT4 Domain during Server Install.
Is there anyway possible, to "Force" them to leave the OLD (new)Domain, and
then
Try to Join on the Newer Domain?
I hope that makes since :-)

I really do not want to have to reinstall these Servers like I had to do to
the
Web Server (Which was the PDC Of the OLD Domain)

Thanks All

Steven, I am going to go check out your links and see if they will help me,
For the other servers.

This is awfully strange??

I cannot physically logon with the assigned Username on the "Mail Server"
To the 2003 Domain. OK, that is what this topic is about, so we all know
that.
Now!!
This is the strange part.

I just took the NT4 Web Server and browsed the Network, clicked on the
Mail Server
And it prompted me for the Logon information.
I types in the "Assigned = Username & Password" And it let me in.

Now If I can do that, then why in the world can I not logon to it with the
Server Itself???

Very confused now :-(

Wayne

There is a user right for logon locally that apparently the account you are
trying to logon to the console with does not have for that server. The
reason you could access it over the network is because you have the user
right for "access this computer from the network" for that server.

If the server you can not logon to is a Windows 2000 or Windows 2003 server
you should be able to logon as an administrator and open Local Security
Policy via secpol.msc and modify the user right for logon locally to contain
the users/groups that you need. Look under security settings/local
policies/user rights. If you can not change the policy on Windows 2003
Server or the "effective" settings is different than the local setting in
Windows 2000, then there is a domain/Organizational Unit policy overriding
local policy and you must modify the overriding policy. Another thing to try
is to configure "Domain Security Policy" user right for logon locally to
contain administrators and users and then try rebooting the computer you are
locked out from logging onto the console. Keep in mind that any settings
defined for "deny logon locally" will override logon locally user right. For
domain controllers the user right for logon locally must be configured in
"Domain Controller Security Policy". By default regular domain user accounts
can not logon to domain controllers. If for some reason you can not logon to
a domain controller, you can install Adminpak on a Windows 2000 or 2003
domain computer and logon to that computer as a domain admin and manage
Domain/Domain Controller Security Policy. Adminpak is in the I386 folder of
the appropriate operating system install disk. XP Pro can use Adminpak for
Windows 2003. Hope this helps somehow. --- Steve



"Wayne" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is awfully strange??
>
> I cannot physically logon with the assigned Username on the "Mail Server"
> To the 2003 Domain. OK, that is what this topic is about, so we all know
> that.
> Now!!
> This is the strange part.
>
> I just took the NT4 Web Server and browsed the Network, clicked on the
> Mail Server
> And it prompted me for the Logon information.
> I types in the "Assigned = Username & Password" And it let me in.
>
> Now If I can do that, then why in the world can I not logon to it with the
> Server Itself???
>
> Very confused now :-(
>
> Wayne
>
>

(Still Not Working)
OK. This is what I have done so far:

I have a "Organization/Policy" Created as per the information here:
http://support.microsoft.com/default...b;en-us;285793

In the Policy noted here. When I created the "Org/Policy" I added in the
following
[Define these policy settings]
===============
administrators
domain\username
===============
So that is taken care of.

Now in: [Group Policy Object Editor]
Under: Computer Configuration\Security Settings\Local Policies\User Rights
Assignment\ [Allow log on locally]

I have the following done:
[Define these policy settings]
===============
administrators
domain\username
===============

OK. (Lets see if I can remember everything that has been done post and prior
to the above
This way you and everyone else will know exactly what has been, so that any
other information
That may be needed to get this to work, can be supplied without going over
what I have already
Done, thus not wasting any precious time chasing our tails around, like the
dogs next door :-) )

------------------------
In [Active Directory Users & Computers]
Under: [Domain Controllers]
Under: Computer Configuration\Security Settings\Local Policies\User Rights
Assignment\ [Allow log on locally]

I have the following done:
[Define these policy settings]
(I added in the Username, not sure if this would help or not, but I am
covering all angles here)
===============
domain\username
===============

In [Active Directory Users & Computers] Also
Under [Users]

I have the Username's of all the connecting computer accounts listed.
And are members to the appropriate area's
[Member of]
===============
Administrators
Domain Admin
Domain Users
Enterprise Admin
Group Policy Creator Owners
Pre-Windows 2000 Compatible Access
Schema Admins
===============

-------------------------------

I have set up: [NETBOIS over TCP/IP]
-------------------------------
In each of the NT4 Servers I have them doing DNS to.
2003 DC - Primary
Web DNS - Secondary
ISP DNS - Secondary
ISP DNS - Secondary
-------------------------------
WINS Servers Are
2003 DC - Primary
Web Server - Secondary

===========================================
If their is anything else that I can thank of, I will let everyone know.
Please inform me of any other items that I need to check.

Thank You
Wayne