Migrating from NT4 Domain to AD 5

[Iota]

It may be easier to point me in the direction of a FAQ/Tutorial, but I'd thought I ask anyhow.

Currently we are running a NT 4 Domain environment. The PDC is rather small and really should be upgraded. The majority of our servers in the domain are Win2K S, with a few NT4 machines.

I'd like to take a Win2K server, that is currently a member of the domain, and make it a PDC in an AD environment. (The current PDC in the domain will still be used, but only as a member server in the future).

To make things even more complicated, Exchange 5.5 is envolved as well--on another server.

Thanks.

-Iota

 

[donnie4564]

The upgrade path changes when you have existing Exchange 5.5 environment.

It's not a good idea to leave exchange 5.5 in the Active directory environment. Microsoft says 5.5 is compatible with Active Directory, but if you try to run 5.5 with AD then your just asking for trouble.

I would upgrade 5.5 to exchange 2000 as soon after w2k upgrade as possible.

As for your PDC, You have several options. I would work toward the upgrade first, once the upgrade is complete then you can work towards taking that server offline and installing what you want on it.

This site was very helpful during our upgrade:

http://www.microsoft.com/exchange

Microsoft changes their site very often. I would recommend that you find all your documentation, download it, and keep it until your ready.

The upgrade will be very smooth if you follow each step exactly, in these guides.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/guide/default.asp

 

[Iota]

Thanks for the response.. We do intend to go to Exchange 2000, so that's not the problem.

I guess the question that is still unanswered is, how can take a server that is currently a member of an NT4 domain and make it a DC in a AD environment.(AD doesn't exist yet, it would be the first server) Is dcpromo smart enough to handle that?

-Iota

 

[snooze821]

Is the exchange running of a 2000 machine or a NT4?

 

[Iota]

PDC - Server A - NT 4
Exchange 5.5 - Server B - Windows 2000 member of Domain

Server C - Windows 2000 - Currently a member of the Domain


I would like Server C to become the Domian Controller in an Active directory environment. Server A will no longer function in a DC role (in any way) and will still exist.

The goal is to move to a Active Directory structure and upgrade from Exchange 5.5 to Exchange 2000.

There are roughly 20 servers in all, mostly Win2K, that will move to this new structure.

Thanks again.

Iota

 

[djhawthorn]

I'd

1) Create an NT4.0 BDC, syncronise it with the PDC, then take it offline. This is your backup and backout tool - if the W2K upgrade fails, you can power on the BDC, promote it to a PDC and your back to your old NT4.0 domain.

2) Install Windows 2000 on the PDC (upgrade it from NT4) - this will convert all domain accounts and groups to AD. AD will automatically install after you do the upgrade to W2K.

3) Then you can think about making any W2K member servers a W2K domain controller (run dcpromo.exe).

4) If you don't want the upgraded PDC a W2K server/domain controller, be careful about taking it offline (or demoting it) as chances are it has some major roles - such as the RID master, and PDC emulator. These can be transferred from one box to another if you need to take the old PDC offline.

 

[Iota]

Hrmm.

I definately _cannot_ upgrade the PDC to Win2k. It's an older system and has too few resources for Win2k.

The remaining NT machines (2 other ones) are in a similar situation not to mention, are very his visibility production servers, so screwing these up could be very bad.

Ideally, I'd like to take one of my many Win2k servers and get an AD structure on it, then somehow migrate the domain into the AD structure. This possible?

 

[donnie4564]

You can migrate from nt to 2k, this is complex and not recommended. If you choose this path then you would basically move information from the PDC to 2000, using a migration wizard. I researched this solution long enough to know it would not work for our network.

I think you should follow darthNU's reply. Only take your PDC offline and setup one of your w2k server as a PDC, then upgrade it to AD.

Think about an easy way back to your existing setup in case w2k upgrade fails. It’s important that you have two ways out of a failed upgrade, otherwise you will have a nightmare trying to recover connectivity to the users, not to mention you will probably be looking for another job.

Also, the w2k AD will need to communicate with the exchange 5.5 server, until you get it upgraded to 2000. It uses the ADC to do this. It is not recommended to use the ADC that comes with W2K server cd. You must use the ADC that comes on the Exchange 2k cd.

 

[FilthPig]

I've migrated from an NT 4 domain to a new and seperate AD domain and had it work quite well. Granted it's more work, but I wasn't about to upgrade my old server. I didn't have an exchange server involved, so that made it a bit easier.

Personally, I wanted to have a freshly installed 2000 server rather than an upgrade, so I chose to do a migration. This also had the benefit of leaving everything in the old domain as it was in case I had problems (there were a couple permissions problems from some of the advanced users *coughmessingupcough* playing with the permissions of things in their profiles, but nothing major). If you're looking for a free tool that'll get you there, download the Active Directory Migration Tool (ADMT) from Microsoft. There's a wealth of information in the help files of that, but I'll outline a few key items.

The migration tool will migrate users accounts (with SID history if you specify), computer accounts, security settings on folders & files.

The migration tool does not migrate passwords. You'll be given the choice of passwords being set to the same as the username, or complex random passwords. If you choose the former, come up with a plan to distribute those passwords to your users.

You will have a new and different netbios domain name. Make sure your users know to log into the new one (this is only an issue if the two domains are trusting each other, if you migrate the computer accounts and there's no trust, the new domain should be the default options.




Marc Creviere

 

[Iota]

Donnie, how am I going to setup the Win2K as a PDC w/o using active directory? If I could bring Win2K as a BDC, I could demote the PDC, promote the PDC, then upgrade, but I'm not seeing a way to do that.

-Iota

 

[donnie4564]

It will require a fresh install of nt4 on the w2k server. Setup the new w2k server as a bdc on the network. (Which of course will require you to blow away the installation of w2k that’s already on it.)

Then, take the pdc offline.

Upgrade the new bdc to a pdc, using server manager.

Upgrade the new pdc to w2k.

 

[Iota]

Ronnie--Ouch... That's painfull. I hate upgrading OSes to begin with. Maybe it's me, but I always prefer a fresh install. Not to mention, the server I'm going to make the DC happens to have our cardkey system on it so blowing it away would be bad.

I'm starting to lean towards Filthpigs's suggestion about creating a new domain, but I'm still a bit uncertain about how exchange will handle the migration. I think I'm going to have to do a bit more digging--surly I'm not the only the one in this situation that's needed to migrate to AD. Now if I could only find those people.

-Iota

 

[tesh]

Sorry this might sound strange.

But IOTA have you conciderd the following.

Build a Dumb PC with NT server on it Promote it to a PDC (NT4)

Now Upgrade it to Win2k with AD Services.

Now you can Move the AD Service to another Win2k Server.

And ditch the rest.

Tesh
(Just a Thought)

I also Agree with fresh installs, there much nicer and safer. (IMO)

 

[donnie4564]

Very good idea tesh.

I'm with you, iota and filthpig. I would prefer a fresh install any day.

Our problem was time. If you create the new domain then start moving users, mailboxes, permissions, member servers to the new domain. Well, it turns into a long process verses the plain upgrade PDC, BDC.

Anyway, either way you go you will not be guaranteed no down time. So, fresh install is the way to go!

 

[vpnsymech]

Thanks for all the advice. I am going to follow your suggestions.

I have three servers.

Server A PDC
Server B BDC (NT4 vpn clients)
Server C BCC

1. Promote BDC (C) to PDC.
2. Upgrade NT4 server to win2k server with AD.

3. Do a fresh install on Server A
4. Do a fresh install on Server B

Is this correct?

thanks.

 

[tesh]

that will work.

if you want you can move the AD round so server C can be fresh installed later.

Tesh

 

[jatkinson]

Thanks for the info so for guys, however I wonder if you could provide me with some answers/ideas to my situation please?

I have a similar setup:

Server A PDC NT4.0
Server B BDC NT4.0
Server C BDC NT4.0 Exchange 5.5

I want to migrate my network over to W2K with AD and also upgrade Exchange Server to 2000.

I also have a couple of spare servers and was going to build a W2K AD server from scratch on one of the servers and install Exchange 2000 on the other.

Would it be possible using the methods explained above to put spare server 1 on my existing network and then promote it to a NT4.0 PDC, take it off the network and upgrade to W2K AD???

Would it also be possible to install spare server 2 onto the network and put a 2nd copy of Exchange 5.5 onto it, replicate the email accounts etc and then take this server out of the network and upgrade it to Exchange 2000??? Is it best to start off with Exch 5.5 on a NT4 or W2K server if so???

Also, instead of doing the above, if I built a new domain from scratch on the spare servers would I be able to simply swap the servers over if the old domain (NT4.0) and the new domain (W2K) had the same domain name and the server IP addresses were the same or would I have to go round each client PC and reconfigure them to log onto the new domain even though the domain name and IP addresses for the servers are the same??? I'm thinking possible trust relationship problems etc.

Also, where would the DNS server fit into this? Should the DNS server be a separate server? I assume DNS would be set up on the first server to have AD installed on it, is this correct?

Any advice on this subject would be great

Many thanks

 

[tesh]

Jatkinson, your first 2 ideas seem ok (not sure with Exchange though but i'd give it a try)

As for the last one swaping the servers its not that easy as AD needs the data out of the NT4 User Manager including the SAM database and you would create a problem just swaping them.

I would stick to a systematic upgrade path first do your AD so server.

I.E. take your bdc and upgrade it to 2k then take a new 2k box and attach them together and run dcpromo (i'd use a spare hub between them so they don't get out on to your network)

Thats your new AD server built. then you can start to do the same with Exchange. and hey presto.

Tesh

 

[jatkinson]

Hi tesh thanks for the reply.

Does this mean then that even if I wanted to setup a new network I'd have to go round each client PC and add it to the domain via Computer Name in System Properties??

Basically I'm trying to find a way of not having to recondigure each W2K Pro client PC

 

[tesh]

If its a new network you can create the clients on the server. but you'd be losing all your user info by building a new network and not migrating.

but with a new network you just add the computernames to AD and thats all but you'd have to make sure things like domain etc. are set on the client side.

Tesh