NT4 to 2K Server Migration Help 1

[skhoury]

Hello all,

I work for a small company that currently has the following network setup:

NT4_PDC / File server
NT4_BDC / Email server
NT4_BDC / Database server
2K client PCs

Simple enough....my task is to upgrade all three machines to Windows 2000 server.

Ignoring all the machines except the PDC...what should be the first step?

We have already purchased a new machine to act as our new PDC, so the old machine will not be used.


Any thoughts on what direction I should take this?

I have taken a dummy machine, and setup Win2k Server on it as a test. But how should I actually configure the server itself, since it will eventually be the new PDC? In other words...should I create a new domain? Add it to the domain? A new sub domain?

So confused...any guidance will be very appreciated.

Many thanks in advance!


--Sam

 

[crobin1]

Since your environment is so small, the generally recommended path is this:
[ul]
[li]Install your new server as an NT 4 BDC[/li]
[li]Promote the new machine to be PDC[/li]
[li]Temporarily take the old PDC (which is now a BDC) offline, just in case there are problems with the upgrade[/li]
[li]Upgrade the new machine to Windows 2000[/li]
[li]Test that everything (logons, e-mail, apps, etc.) works[/li][/ul]
Assuming everything works, you can then upgrade the other servers.

You may also want to look at this MS KB article,

http://support.microsoft.com/default.aspx?scid=kb;en-us;296480&Product=win2000

MS has a lot of good information on upgrading, search for more articles in the KB.

 

[skhoury]

Awesome, thank you so much for your response.

I will most likely take that path, BUT:

Assuming I didnt want to change the domain name, machine name etc. Is there anyway I can do a fresh install of 2K and get the same results, versus building the machine as an NT4 box, then upgrading?


Many thanks again!!

Sam

 

[AlexIT]

I'd recommend that you install Win2k from scratch, then recreate the users in the "new" domain (always use a .local domain) and then move each client to the "new" domain. Uppgrading is asking for troubles later because NT did not use FQDN or DNS and these are integral to Win2k AD...plus you can install 2k in "native mode" and not have any legacy info in your AD.

Exmerge the Exchange mailboxes to tape/CDR or such, wipe and install Win2k/Exchange2k, then exmerge mailboxes to the new exchange after setting the users mailboxes...definately don't upgrade Exchange!

Just what I learned from my own experiences...

Alex

 

[skhoury]

Alex,

Thanks for the response. So what you recommend is basically starting from scratch, and creating a new domain,
and adding all the users into this domain?

Is there a tool to export everything (Users) from NT4 to the 2K box?

Also,what do you mean by a .local domain?

Thanks so much for your responses!!

Sam

 

[crobin1]

The Active Directory Migration Tool (ADMT) can be used to copy all of the user accounts from the NT 4 domain to the new 2000 domain.

For the .local, Active Directory requires DNS to function. This means that the domain name is now in the format foo.com instead of just foo like it was in NT 4. (Note though that the domain name will also be advertised as foo for compatibility with Win 9x/NT4 clients). Since this will be an interal DNS, not advertised to the outside world, and to prevent possible confusion with any actual Internet-accessible domain name that you have, the recommendation is to make your domain name something like foo.local. Clear as mud?

You can't do a fresh install of 2K and keep the same domain name (due to the note mentioned above).

I followed the upgrade path and my domain controllers didn't have any problems (a couple of member servers did, but that's another story).

 

[skhoury]

Ok, so it seems like the general consenses is to get the new machine, set it up with NT4, promote it to PDC, then setup Win2k on top of it (following the .local domain naming).

I suppose thats what ill do then! Hopefully things will work out smoothly...


by the way, do you guys know if the full version of 2k server will *upgrade* an NT4 machine?...or do I have to get the upgrade version?


MANY THANKS FOR ALL YOUR HELP!!

--Sam

 

[AlexIT]

Any media version will upgrade an existing server version.

Alex

 

[xmsre]

If the database server is SQL, and you used integrated security, you'll want to go the upgrade route. Otherwise you'll end up reacling your database or buying a tool like Aelita DMW that can do that for you.

 

[skhoury]

Thanks for the DB tip xmsre! Ill certinaley take that into consideration when we get to that system.

--Sam

 

[2cornot2c]

My suggestion, start from scratch. Why? fallback, fallback, fallback. If something goes wrong you simply reconnect your old Servers. We did our Migration to 2000 nine months ago and the most important thing you need to do is test as many times as possible before going live.

If you have the opertunit to get a new server to install 2000 Server, take it! All you need is a switch, one client and the server, install 2000 Server and mock your domain. Keep them totally seperate.

In the evening whe users are gone home, take the old server offling and connect the new one. This will give you an opertunity to install and test any software you need to. You will be able to test in a live environment and still have your original Server available in the event that you get yourself in a snag.

Trust me, there are a lot of problems associated with the upgrade. It is best to setup a small domain with your new 2000 Server and test until you can't test anymore. As you encounter problems, correct them, test again and try again in the night when users are off the system.

Also, importing the user accounts is fine, but any directory security will still have to be setup again. Recreate the accounts, install your AD, create and apply security and test several times before going live. Even if you go live and there are problems you can always plug the network cable out of the 2000 Server into your old Servers.

This scenario gives you the most functionality, ability to test in a live environment, a fresh 2000 installation and most of all, a fallback plan.

 

[skhoury]

Pure genius 2cornot2c! That is precisely what I am going to do. Start fresh, test, and slowly migrate users over to the new domain!!

I love this stuff!

--Sam

 

[2cornot2c]

Some more tips for you.

When you are finished with the installation, remove the Everyone [Full Access] from your Server root and propagate it down. By default, when you install 2000 the Everyone group has Full Control. Leaving your system open for hackers. Replace the Everyone account with Authenticated Users.

Learn a a lot about DNS, a functioning 2000 Domain is built on DNS.

You might need to do some minor network changes on your 2K Clients to get the full benifit of the security features using AD and Group Policy. There are two ways to add a 2000 Client PC to a domain, the best way is to use the Network ID button in the Network Identification tab in the Properties of My Computer. Simply clicking on the properties button and changing it to Domain instead of Workgroup isn't enough and sometimes your Group Policy settings will not affect those clients that were setup that way. This is not something that you need to address right away, concentrate on the Migration first then work on creating OU's and applying GP's.

Make sure that all of the programs, drivers and any other software that will be installed on the W2K Server is compatible, an incompatible piece of software will have severe affects. I remember that we had to wait for IBM to release an upgrade to our Database before we could Migrate.

 

[ranweb]

I just recently took the path of setting up a fresh BDC and then promoting it to a PDC. I then performed an inline upgrade of the newly promoted PDC to Win2K AC/DC (Active Directory/Domain Controller). I then confirmed that all the user/computer account had transfered (around 700 user accounts/500 Computer Accounts). I've transfered the the "operation masters" role to a server that was not upgraded from NT4, a fresh Win2K install. I can then pull the pc I used as the in-line off the network. Using this path of upgrade, I didn't have any issues. I did however put this through a test network until I was confident about the migration.

 

[nicedreams]

Hi Sam!

I'm in exactly the same position as you and have the same questions/concerns. I have a very similar setup of servers and have just been on a three day Win 2000 Server Admin course. Now all I need to do is upgrade...

My tutor recommended that a clean install rather than an upgrade as being the way forward (even if more time consuming). This seems to be the majority opinion all round although I can see that this is likely to always be a debatable subject.

Having read your posts so far, I think I'm going to follow the route of building a new Win2000 Server separate from our network and creating similar user and computer accounts, etc. Then, as 2cornot2c said, I will switch it over when my users are offline in the evening and see how things go.

I did read about the ADMT (Active Directory Migration tool) providing a useful method but I'm wondering if it's still easier to create everything manually if you haven't got too many users/computers, etc.

Have you started/finished your upgrade yet? Please do let me know how it goes. Your experiences will be very valuable to me!

Best wishes,
Josh.

 

[skhoury]

Hey Josh,

Great, its good to know im not the only one getting into this. Well, funny that you ask because we just finished purchasing two new Dell servers. As soon as they come in, we are going to start building them up and migrating over.

I am going to stick to the fresh start approach. Its nice and clean, and I build up the server completely from scratch exactly the way we want it. Plus, we only about about 70 users and about 10 groups. Nothing to major...

That is what I call "Phase I" of the migration. The next phase will involve rebuilding our mail server on a new 2K machine and migrating everyones mail from a 5.5 to a 2K AD instalation. Also, this will involve moving our Blackberry server, and including an AntiSpam/AntiVirus MTA (TrendMicro software). Migrating of the emails is very easy, and much cleaner than migration of the NT accounts. Plus the migration tool will match the mail box to the user automatically for you.

The last phase will be to upgrade (not rebuild) our DB server.

Granted, it is a lot of work because we to run around to everyones desktops and migrate there profiles over, etc, but in the end its worth it because you have a very clean backend....and thats what you want!


Please let me know if you have any thoughts, ideas, or questions, and good luck!

--Sam

 

[2cornot2c]

Once you have your server up and running, do some security lock down before proceeding with the software installations. Install the Microsoft Baseline Security Analyzer on a workstation connected to your 2000 domain and have it do a security check of your server. You can enter the IP address of your server and analyze it directly from the workstation. The analyzer can be downloaded from the following link.

http://support.microsoft.com/default.aspx?kbid=320454

You can also use this to analyze your client workstations once you have deployed your servers. Run the analyzer again once you are finished patching and installing all your software on your servers.

If you are running Exchange, run the IIS lockdown tool from microsoft after the setup. Apply the recent service packs for Exchange, very important.

You could prepare in advance for this by downloading your service packs in advance so when you are ready to install you have all the resources on hand.

One other approach we took was creating an alias for our Administrator account. Although it was a good security measure, it does require some due diligence(read about it before doing it) do as much security lock down before deploying, document all security changes so that you can modify them if you run into problems.

2000 has many features to help you lock down a clients ability to access, change and/or modify network and workstation settings. End users usually get offended when they are giving something and then it is taken away. Therefore, if you are planning to remove certain client features using GP's and Security policies, it is best to do it from the get go. If the users didn't have it to begin with, then they won't miss it, that's my theory.

I know this is a lot to swallow, you don't have to implement all or any of my suggestions. These are just some of the things that I know I would have liked to have had when I was doing my migration.

 

[seechance]

skhoury,
Please advise how the upgrade went and what path you used.
Any problems and what you did to fix them.

I need to upgrade our NT 4.0 PDC, should have done it a year ago but just did not get it done. I have 25 clients (a mix of Win2k pro and XP Pro) 2 data servers ( Windows 2000 server).

seechance

 

[nicedreams]

Yeah - I'd be interested to know how it went too.

I'm still stuck on NT for the time being until my company can afford some new hardware.

Josh.

 

[frl]

After some seriuos studying and thinking, I deceided to go with the clean install route too.
So I would be interested in what problems,trouble is connceted to creating new accounts for users. Like home folder access, desktops&shortcuts, printers... What else?