Solved

SBS 2003 migration but with 2 PDCs

Posted on 2004-08-10
18
654 Views
Last Modified: 2008-02-01
Experts,

I plan on performing an SBS 2003 migration from our current NT 4 domain but..... I have 2 PDC's (in 2 physical locations).  I have read MS's documents on performing a migration with 1 PDC (192.168.1.x) but the other PDC is in a differnet subnet (192.168.2.x).  

I am thinking I may need to physically take the new SBS 2003 server from one site, complete the migration (ADMT) and then take the server to the other site and perform the same thing? (at least the 2 locationsa are about 30 minutes from each other).

Is this the best method or could I someone demote one of the NT4 PDC's to a BDC and join the same 192.168.1.x network?

Or if I take the new SBS 2003 server to the second location (192.168.2.x) will I need to change the IP address of the SBS 2003 server?

Thanks
0
Comment
Question by:mkavinsky
  • 7
  • 4
  • 4
  • +1
18 Comments
 
LVL 1

Expert Comment

by:PeterRanson
ID: 11764198
are you SURE you have two PDC's?

i.e two seperate domains?
0
 

Author Comment

by:mkavinsky
ID: 11764283
yes
0
 
LVL 1

Expert Comment

by:PeterRanson
ID: 11764498
step one is to upgrade your first domain.

the best way to do this is to take a BDC offline as a rollback then put the cd in your PDC and perform an upgrade install.

after this is done, you will want to do the same with the other domain, at this point you will have two options.

when the wizzard is upgrading the domain part, it MAY give you the option to join it into an existing domain, if so do this; if not then you will need to upgrade it seperatly, then create a two way trust between the two domains.

after this trust is created you can move the users and computers between the domains. in order to do this you will need to be in native mode.

at this point you will have everything over in one domain, you will then probably want to add an additional domain controller in site two for the main domain.

as for the subnets, providing they are all routed together on quick (i.e. 2mbs +) links then you will be fine doing it over the wan

hope this helps,

peter
0
 

Author Comment

by:mkavinsky
ID: 11764584
Peter,

Thank you for your quick response.  Unfortunately with SBS 2003 you cannot have a trust with another DC, Small Business Server 2003 can be the only domian controller in the network.  The other part is that this will be a migration and not an upgrade (old NT box does not have the horsepower to be upgraded).   Also, this environment does not have a BDC in either location.  (about 15 users in total)

This is where my dilemna is coming in.
0
 
LVL 1

Expert Comment

by:PeterRanson
ID: 11764663
ok lets deal with the migration first.

best move is to install NT4 on your new box and set it up as a bdc. take your pdc offline then promote the new bdc to a PDC. (this way you still have your rollback).

put the cd in and upgrade the new box to SBS2003. at this point you will have all of your accounts from domain one upgraded.

step two is to use the domain migration wizzard in ADS to migrate over the users / computers from domain two.

please note that doing this from NT4.0 is horrible, and you need to spend a lot of time going through the registry on domain two setting up stuff.

unfortunatally i think that in order to do this you require a two-way trust. if SBS2003 will not allow this then this is not going to be possible.

it may be worth you using a standard edition copy, or else you will have to look @ which domain has the fewer users / computers and add them by hand!!!

Good Luck!
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11765906
There can only be one Primary Domain Controller in a windows NT domain
You can have several Backdomain Controllers.

But you say you are sure you have 2 PDCs...
That would mean you have two domain controllers.
And if the two PDCs are sharing resources,
means that trusts may have been setup.

Carrying over your PDC to the other site would serve no useful purpose.
As the two servers are on different domains.

Just upgrade the two servers to SBS.
The trust should be carried over.
If not, you can recreate them.
The servers will remain in separate domains.
0
 
LVL 1

Expert Comment

by:oxymoronx
ID: 11765912
ok ... you didn't answer the question about one domain or two.  based on your description, i'd say two, because a single domain cannot have 2 PDC's ... NT4 is a master/slave setup where there is one/uno PDC and multiple BDC's.  

if you do have a single domain and have two PDC's, then you're not routing your subnets and it could be possible, but definately not practical.

I'm not sure why you're looking to upgrade to SBS 2003 unless you're just looking for an all in one cheap domain solution and you have less than 75 users (???)  if you have more, SBS will not work for you.  Also, SBS will not work in a multi-domain setting.  AD will not work properly in a setting where the subnets aren't routed.  Based on all of these criteria, I think you're out of luck.  

if you have less than 75 users and absolutely must have SBS2003, i'd suggest building a parallel environment and then simply do a cut-over.
local user profiles will suck and you'll have to visit every desktop to push them into the domain, but still ... worth looking into.  Plus you get to start over from scratch and you don't inherit the mess nt4 brings over.  if they're using exchange, export everyone's mailbox to PST and import into Exchange 2003.  Just make sure you check the mailbox size limitations on Exchange SBS 2003 ... they're preset for you.
 
Basically, if both sites have internet access with an always on/broadband connection, i'd create a point to point vpn tunnel (ipsec) and route all of your subnets together.  Set up the SBS server in the primary site and allow authentication through the tunnel.  or you can turn on Terminal Services and have the 15 users terminal server into the apps they need.  
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11765972
If the servers are part of the same domain.
It would mean one is PDC and the other a BDC.

If you intend on keeping the two servers in one domain.
Then forget using SBS and buy the separate components.

But if they will remain on separate domains,
then you would need to break the communication between the two
Upgrade the BDC to a PDC
Install SBS on different domains
i.e. site1.domain.local and site2.domain.local

0
 

Author Comment

by:mkavinsky
ID: 11766023
no, they are on 2 SEPARATE domains.  There are no BDCs.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mkavinsky
ID: 11766112
Oxy & Nyaema,

Here is a little more information, some was mentinoed above.  There are only 15 users (about 7/8 each site).  2 domains - 1 PDC for each.   Another break for me is that currently we are not running Exchange (rather the ISP hosts mail) but with SBS 2003 I will be brining that to us.   So there should be no PSTs to export.

Sites are connected via T1.  

What I as asking earlier is if I could physically take the new SBS 2003 server to each location and perform the migration (not an upgrade - I do not have the horsepower to do that on either PDC).

Now I have also purchased a separate Terminal Server for those users in the second location to access some of their apps.

I hope this helps a little more.

Thanks
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11766322
You could install SBS 2003 On your new servers and then use the active directory migration tool move over the users accounts.

Unfortunately server 2003 does not let you join an nt4 domain.
The only other option is to install nt4 server as a bdc on the new machine and then promote it to a bdc.
Tehn upgrade to SBS 2003 - but this would have to be done onsite.
Also you would need symantec's volume manager to resize the volumes.
0
 
LVL 1

Expert Comment

by:PeterRanson
ID: 11770020
... as i said, the only way you can combine these two domains into one is to upgrade / migrate one, then add the other users by hand! either that or go for Windows Server 2003 Standard. if you only have 15 users or so, then this is not much of a biggie, if you look at the time it would take you to add them by hand ... no more than 15 minutes, veris 2 hours to migrate them PROVIDING you purchased a standard copy ... is it really worth it??!?!?!

let me know how you get on.
0
 
LVL 1

Accepted Solution

by:
oxymoronx earned 500 total points
ID: 11784541
T1 and terminal server??? ok this one is easy ...

Go ahead with 2003 SBS ... it's the best solution for your specific needs.

You can follow the migration process on microsoft for nt to 2003, but in all honesty, you'll end up with a much larger headache.  I'd do a scratch domain install.  since there are only 7/8 machines in each site, visiting the desktops would be easy.

build sbs 2003 and add all of the user accounts statically.  microsoft has some good information on their site about transferring profiles and such, but the easiest thing to do is just copy the pertinent data (my docs, ie favs, etc., etc.) to a new location (usually on a network drive) and then build a new domain profile from scratch.  Remember with 2003 and AD you now have the option to utilize GPO's to do AV deployment, folder redirection, etc., so new profiles might be the place to start.

once the new domain controller is online, dhcp and dns has been established (you'll need to do this during off hours, otherwise you're clients may have a prolbem connecting.)  Do not name your domain the same as your old one (netbios)... this will cause conflicts.  once the new domain controller is up and running, dhcp and dns have been verified to be working, user accounts have been created, email accounts, etc., start migrating the PC's to the new domain.  remove them from the old domain, add them to the new domain (you may have to put the dns ip in the properties statically in the beginning) ... and copy back the pertinent data saved previously.  normal applications and such should be fine.  you can also setup the mail client at this time to connect to exchange.  once that is complete, you can transfer over all of the data/apps from the old server to the new.

now, here's the best part ... you don't even need to touch the other site's computers with the exception of installing the Remote Desktop client if they aren't using XP; if they are I'd suggest copying the shortcut to the desktop and renaming it to identify their means to access the new server and their email.  Termservices will redirect printing allow for saving of email attachements locally.

login directly to the sbs server as those other users creating their profiles ... make sure you don't give them too much access ... heck you can even setup certificates to secure the initial connection ... install the necessary applications that they'll be using (make sure you use application mode) and continue as if you were migrating their pc ... setup email client for exchange, etc., and so forth.  now the other site will login to the network for network resources through the remote desktop client (it'll be faster too) and they can still surf the internet from their own location.  

if this doesn't work, i'd suggest purchasing two cisco pix 501e firewalls and establishing a point to point vpn tunnel and redirect internal network traffic down it.  i'd still stick with one domain server and sbs in your primary and no server in your secondary.  with a T1 and 15 users you shouldn't even begin to tap the bandwidth.

good luck.

0
 

Author Comment

by:mkavinsky
ID: 11785808
Oxy,

You're on to something here.  Thank you.  I understand what you are saying about the home location and to not really bother with the migration.  More info for you, the users don't even currenlty have home directories in NT 4.  Everything is local.  They pretty much only have the data on the server.  And of course logins for authentication.  There are no scripts either.  So your suggestion of pretty much starting from scratch is what I was really hoping to do anyway but just move the data from the old NT server to the new SBS 2003 server.

Now the second site is my issue.  First of all, the reason for the second server (Terminal Server) is for ALL users (both offices) to access a few Accounting packages rather than have them all local.  so both offices were going to login to the Terminal server to access some apps.

I was still going to have the users in the second location login at thier desktops and authenticate across the T1 to the SBS box.  They would still get mail, etc...  but would have the Remote Desktop connection shortcut on their destop to access the TS.  (by they way they are all XP Pro or 2000 workstations).  

From your comments are you saying to have the remote users go through TS for everything (mail, apps, etc.)?

Here is my one other dilemna that I do not know much about.  Since there are initially 2 domains, there are 2 subnets (192.168.1.xxx - home office and 192.168.2.xxx - remote site).  The 2 routers inbetween (Intel 8100) and set at 192.168.1.150 and 192.168.2.150.   I am confused about the subnetting or should the second router (192.168.2.xxx) have the IP address changed to reflect one subnet?  

I am just wondering how the users in the second location are going to connect back to the SBS server if they are currently on a different subnet.  I did check with MS and they said you can have subnets but they said something about another DHCP server at the second location? or do configure another DHCP zone on the SBS box and configure BOOTP/DHCP forwarding on the router?  

Thanks
0
 
LVL 1

Expert Comment

by:oxymoronx
ID: 11794885
depending upon how much bandwidth on the t1 is available for data, I'd do everything via terminal services, ... just make sure that you configure the server for the processor and memory load.  Although you could do rpc over https for exchange and outlook 2003 ... but you need outlook 2003 in order to do so (the client comes with 2003 SBS ... so that's not an issue)  you would also need to configure the necessary port access, but it should simply be 443 ... microsoft has a decent whitepaper on it.  it could become a headache, but then again .. what in this business isn't.  as for domain authentication, I suppose you could still add the machines to the domain if you really wanted to  ... it would make antivirus distribution easier if you decided to go to a client/server av system, and of course, there's always machine gpo's that could be implemented ... i'd think domain authentication across a live link without encryption would be risky and with encryption may be slow ... you could always try it and if it's too slow, remove the machines from the domain ...

one thing you could do instead of two dhcp servers or forwarding bootp/dchp, is to assign static ip's (there's only 8 correct?) in the second location and then reserve them in the dhcp server so they aren't dynamically assigned.  this way you're assigning a static DNS address as well, so the client knows where to look for the dc.  just make sure you route the subnets properly on the routers and you should be fine.

one thing I'd highly recommend however is to secure the site to site connections with a vpn tunnel.  I don't think you'd want your microsoft credentials being broadcast live outside your router.

honestly, i think your biggest difficulty will be to properly route the network traffic between the two sites.  other than that it should be as if the offices were on two different floors rather than at different locations.

above all else, have fun.

0
 

Author Comment

by:mkavinsky
ID: 11809340
Oxy,

Thank you very much for your tremendous insight and information.  You have validated my points and have also shed new insight.  I will be beginning this project this upcoming weekend and let you know how it turns out of if I may need additional assistance.  Thank you again!

Mark
0
 
LVL 1

Expert Comment

by:oxymoronx
ID: 11810129
no problem ... good luck.
0
 

Author Comment

by:mkavinsky
ID: 11877367
Just wanted to give you and update.  Performed the migration this past weekend.  I did end up giving all the desktops a static IP.  Even the ones on the other subnet (192.168.2.xxx).   But what I had to do was also add the WINS server settings under TCP/IP - pointing back to the SBS 2003 box.  Once I did that, they could see the SBS server and then they worked great.  

I did just end up creating the profiles/user accounts from scratch - much easier and less problems.  but one thing to note when migrating data from an NT server to SBS 2003- SBS 2003 is extremely tight on security so unless you do an xcopy (which I could not get to work) or use Robocopy you are going to have permission errors (everything was read only).  Which happens because of moving data from one domain to a completely new one.  

But all is well.  Thank you again for your knowledge and wisdom
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I was recently sitting at a desk at work with one of my colleagues and needed some information on my home computer. He watched as I turned on my home computer, established a remote session into it, got the information I needed and then shut it down …
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now