[Experts] Few Windows 2003 Questions [Need Expert Advice]

Question 1.
Does an Active Directory or NT domain have a SID?
In part of my NT migration I have used the ADMTv2 tool. I am now going to use the domain rename to correct the domain name to how it used to be. The majority of our clients are running legacy systems (95, NT, 98, ME) so they will find the domain via netbios. Its quite important that we don't have to visit these machines. Currently they are connected to our <companyDomain> on the NT server. With the new Windows 2003 server we hope to give it the same computername and re-create the domainname.

Question 2.
Domain Rename.
Currently we have <tempCompanyDomain.local> and it needs to be changed to <companyDomain.local>
Its in its own forest created from scratch and the windows 2003 server is running in 2000 native mode.
How easy to rename the domain is this going to be? I was thinking of using the Domain Rename.exe tool. Or could I easily create a new domain and move my user accounts over?
I need expert advice on this one! ;-)

Question 3.
How can I backup my system state and all AD stuff? Its getting annoying reformating each time =)

Question 4.
How can I migrate my passwords over? Is it possible? In an ideal world we would like to do this as it makes the IT department look good. If we have to tell 60 users there unique secret password is "password" ;-) then they will think its a botch job upgrade.

Question 5.
When I used the ADMTv2 tool it didn't migrate the the computer names. To me this doesn't seem like a big thing as when  log on for the first time on a computer it adds it computername and stuff to the computers list. I heard that this only happened because I am an admin and wont happen for the rest of the users. I'd like a second opinion on this. Could I manually add in the computer names here instead? Or is there some unique SID or something.

Question 6.
Did I bore you with those questions :P

I'd appreciate the experts who can answer my queries! =)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

admt can migirate computer, username, groups, service account and etc...just read the links i provided above.
georgecooldudeAuthor Commented:
Thanks for the list of cookbooks. I didn't know about these and will certainly check them out. I'm also still after some suggestions to my questions as the books assume you've a massive network with a large team. At the moment I am the only person doing this migration with no prior experience. ;-) hehehe.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

For question 4, the answer it yes, admt will allow your to migrate password, change password.

Question 5, the answer it yes, admt can migirate the computer from one domain to another. From the menu, select computer migration.  I  just made a screeshot, look at it :

georgecooldudeAuthor Commented:
=) Thanks for answering Questions 4 and 5. The screenshot is handy too!

Do you know the answer for Questions 1,2,3 ?
I am worry if there is a sort of domain SID as that would cause me some problems.
I am not sure about q1,q2,q3. so i wont answer that. :-)
georgecooldudeAuthor Commented:
Also does my forest root have a name?


If I rename the domain what will the forest be called? Does a forest even have a name?
map000Senior Security EngineerCommented:
q1 - no, they don't; only objects received SID's from DCs
q2 - default in 2003, to change the domain name, the forest must run in 2003 native mode; it's not very easy

q3 - use ntbackup tool to backup AD and system state
map000Senior Security EngineerCommented:
q2 - depends very much what it's your configuration; how many DC do you have; are them locally or remote ...
georgecooldudeAuthor Commented:
We only have 1 DC.

Its running in 2000 native mode. Is there no other way to change my domain.

I really need to fix this urgently :(

I had a NT machine which i promoted to PDC and put onto a private network. THe domain was called <firstdomain>.
I setup windows 2003 and created a trust and used the ADMTv2 tool. The domain had to be called something different to the NT domain for the migration to take place. So I gave it a name of <seconddomain>. Now I have all the user accounts on the new server but the domain is wrong. I need to change it to <firstdomain> so we dont have to visit each PC.

Or can I make a new domain on the same 2003 server and then drag and drop the user accounts and stuff over?

The windows 2003 server is the only server in our network. it runs Active directory, and DNS.
georgecooldudeAuthor Commented:

>>For question 4, the answer it yes, admt will allow your to migrate password, change password.

How can I use AMDTv2 to migrate the password? Which option do I choose, I don't see any password bit.
You may already have looked at this, but just in case...

"Windows Server 2003 Active Directory Domain Rename Tools"


Take a look down the right side of the page, there are links to several Word documents including one called "Step-by-Step Guide to Implementing Domain Rename"

As you know you can use NTBACKUP to backup system state, although remember that the backup is only good for 60 days on an AD DC.

You can use the ldifde tool to export and import your Active Directory objects.

See "Using LDIFDE to Import and Export Directory Objects to Active Directory"


For more information about the uses and drawbacks to using this tool, browse some of these articles:


To migrate users and passwords see

 "How to configure the Active Directory Migration Tool to migrate user passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain"


And finally, Good Luck!! It sounds like you're bitten off more than you expected!
george, refer to my screen shot on migrating password :


you have to select migrate password and select the source  domain.
georgecooldudeAuthor Commented:

But how did you get to this screen. In the first bit I dont see a password bit? Whats it called?
i guess i know why, u to generate a key. refer to : http://support.microsoft.com/default.aspx?scid=kb;en-us;832221

look at point 3.
georgecooldudeAuthor Commented:
ok, I've migrated all my users and stuff accross.

All our computers are currently pointing to <ourdomain> with an NT server.

I've built our 2003 server and given it the same computername and domain <ourdomain.local>

Now I would have though all my legacy systems 95, NT, 98, ME would be able to connect without any changes other than the DNS and WINS address changes. I did that but they cannot log onto the domain. Why?
Can they contact the Domain Controller for ourdomain.local?

Is it their log-ons that are being refused?

Are the workstations joined to ourdomain.local now?
georgecooldudeAuthor Commented:
I'm only trying with the legacy systems at the moment.

They should be able to use <ourdomain> as its within the 15 characters and thats what AD is saying is the legacy domain name.

How can I check if they can contact the domain controller? Both can ping via computername and IP address.

The workstation I am trying with was joined to the NT domain called <domainname> and I have removed it from the network and placed onto my test one. I added DNS and WINS entrys but its strange it wont connect.

Any ideas? I probably missed something along the way. Although as a domain doesnt have a SID I would have though it would still look for <domainname> and wouldnt noticed if it was an NT system or 2003 system. Is there any sort of support pack I would need to install on the NT machine?
georgecooldudeAuthor Commented:
ok, I think the problem is down to the DNS on the server. i tryed doing nslookup and it cant even find its own name.

How can I fix DNS? I don't know much about its setup.
georgecooldudeAuthor Commented:
ok i think i fixed my dns.

Do you have any idea how to check what service pack a computer is running and how I could remove one?
Yes... right-click My Computer choose Properties and look on the General tab.
georgecooldudeAuthor Commented:
ok I checked that and its running service pack 6 high encrpytion version.

Any ideas how I could check the DNS server?
Event log isnt bring up errors so maybe it is fine now.

If it is what else could be the problem?
what is the error msg when u cant login?
georgecooldudeAuthor Commented:
the system could not log you on.

Make sure your username and domain are correct.

Are you specifying the domain as "DOMAIN" or "domain.local"?

The first form will use NETBIOS name resolution, the latter should use DNS.
This could be indicating a name resolution issue you need to solve. First you need to be sure which method is being used.

Is the test workstation using DHCP to get its IP parameters? If so you can only have one DHCP server on a network segment so if OLDDOMAIN is handling DHCP it'll be telling the workstation to use OLDDOMAIN name resolution services.

Try manaully setting IP address, DNS, and WINS parameters to the new server IP address in the LAN adapter properties of the workstation.

If that solves it, then until the new server takes over DHCP for the network segment you'lll have to provide manual settings.
georgecooldudeAuthor Commented:
for the legacy clients it will be as DOMAIN

I guess  they all use NETBIOS

For the moment im testing with static IP's.

the WINS and DNS addresses are in the NIC propertys but it still doesnt seem to be able to logon. I tested everything on my XP Pro machine and i can log on fine and DNS records are created.

I had a look in the WINS bit and there is not record of the legacy system nor in DNS which indicates this is the problem.

How might I check the WINS service? Can you think of anything special I need to add to the machine? It is running NT service 6 so it should be supported.
georgecooldudeAuthor Commented:
ok part of the problem was I had LMHOSTS Lookup enabled on the WNS lookup. I turned off this option and now when i try nslookup from the command prompt it comes up with the servername.

But when I try net view from the command prompt Its unable to find the list. What should definatly be turned on and what should definatly be turned off in the NIC configuration?
I seem to remember a change in the default encryption policy between NT4 and Windows 2000. Ahhh yes here it is...

"How to enable Windows 98/ME/NT clients to logon to Windows 2003 based Domains"


Try that and see how you get on.
georgecooldudeAuthor Commented:
thanks for the link. I am installing the AD client thingy now.

Do I require NTLM 2 authentication aswell?

Modifying the registry is not something i particually want to do but if its the only way then thats fine.

Should I also have a DNS entry for the server on the legacy clients or should it just be WINS?
georgecooldudeAuthor Commented:
well it helped out a little.

I now get the message "The system cannot log you on because the systems computer account in its primary domain is missing or the password on the account is wrong"

I migrated the computer accounts accross though which is strange. It could be to do with the NTLM2 as ive not installed that yet,
Try rejoining the computer to the domain. Once you've left the domain make sure to delete the computer account on the Domain Controller, then rejoin.

You *should* be okay then.
georgecooldudeAuthor Commented:
ok, I will try it.

Is this going to be a requirment as I was told by someone else the computer accounts need to still be in there? :S
georgecooldudeAuthor Commented:
ok, still no luck.

I deleted the computer account <computer.name> from the Active Directory.

Then when I tryed adding it in again <computer.name> (yes it does have the dot) it said it wouldnt allow the dot as it wasnt a valid character.

Now has something changed here because windows NT doesn't seem to care about the dot whilst 2003 does. Any ideas?
If this fixes the problem it could indicate a problem was introduced when you copied the computer accounts.

One thing that bothers me is that earlier you said the new computer has the same name as the existing one?

If thats the case then NETBIOS will be having name collisions unless you separate the two onto different network segments/subnets.
georgecooldudeAuthor Commented:
Yeah the new computer has the same name as the old server except it is not on the current test network and wont be on the network once everything is setup.

We have to keep it same name as alot of people have excel spreadsheets with the servername embedded into them rather than mapped drive links. It has been estimated their could be a few hundred of these and we've no idea where they are.

I cannot seem to remove the dot from the computer name either as it then doesn't let me choose a domain name. :-(
Would a dot be a problem? Is it disallowed in windows 2003?

Man this really has me stuck
You can't have a 'dot' in a computer name, so far as i know. You can have one in a Domain Name though.
What happens if you log on locally to the workstation, then try to access a non-guest share on the new server?

It ought to prompt you for a username/password combination.

You should use on that is on the server, and type it in the form "DOMAIN\USER" where DOMAIN is the NETBIOS name for the Domain.

If that fails you'll have event log messages on the local workstation and the server to help narrow down the issue.
georgecooldudeAuthor Commented:
If I go to network neighborhood and select the server and try to open it, it requires a username and password. I enter that and I can get in fine..

The thing about the dot in the computer name. How come Windows 2003 doesn't like it but NT didn't have a problem? Is there some info on the subject I could read up on?
The reason for not having the dot is because it interferes with DNS name resolution, which Windows 2000 and 2003 rely on as the primary name resolution service, especially with Active Directory.

DNS is based on Internet names which reserve the dot as a separator character between domains and sub-domains, "machine.subdomain.domain.com" for example.

If the machine was called "my.machine" in the domain "domain.com" then when it came to DNS resolution and the DNS domain was tacked on to make "my.machine.domain.com" then the operating system would be looking for a DNS server that was authoritiative for the domain "machine.domain.com" and then it would look for the host "my" in that sub-domain, but that subdomain doesn't exist so it fails.

Remove the dot from your computer name and it correctly tries to resolve "mymachine.domain.com" and as your Active Directory DNS server knows about "domain.com" and the host "mymachine" is in the zone file as an A (host) record, everything works fine.

In the NT4 days it was all NetBios and SMB protocol with WINS so this DNS-specific issue didn't occur.
georgecooldudeAuthor Commented:
ok I had a look in the event view and i have a NETLOGON error.

"No windows NT domain controller is availible for domain CARGOHOMESHOP ...
The following error occured. The security account database contains and internal consistancy"

Is there a way I can get it to look for a 2003 domain controller and not an NT one without re-joining it to the domain?
georgecooldudeAuthor Commented:
Thanks for your explanation of the dot thing aswell =)
Are you still trying to do this with that dot in the computer name?

Have you managed to rejoin the PC to the new Domain?

In other words, are you at the point where you're trying to log in as a user to NEWDOMAIN\USER having already joined MYCOMPUTER to NEWDOMAIN successfully?

Sorry if I seem to be missing where we're at, I've got a few similar situations rolling around in my head and I'm losing the plot ;-p
georgecooldudeAuthor Commented:
I remove the dot from the computer name.

Currently the computer is still looking for an NT domain controller called <ourdomain>

Is it possible to make it look for a 2003 domain controller called <ourdomain>

I think I will be able to log onto the domain succesfully if I re-join it but im wondering if its possible to do without re-joining it to the domain
georgecooldudeAuthor Commented:
When I try

NEWDOMAIN\USER as a logon i get the original make sure your username and domain and password are correct error. So Its still looking for the NT domain controller. Where might this info be stored so I can change it?
If you're using the same name and you're on a different network segment (your test network) then the version of the OS that serves NEWDOMAIN isn't known to or of interest to the workstation when it searches for the Domain Controller.

Firstly it'll do a DNS lookup for the FQDN of the Domain you're trying to log on to.

So it'll look for NEWDOMAIN.LOCAL for example if thats the DNS name of your Active Directory domain.

It should get back the IP address of the Domain Controller for NEWDOMAIN.LOCAL

Then it will contact the DC on that IP and begin the authentication process.

It sounds to me as if you need to rethink where you've got to here; you're having a lot of messing about with something that should be relatively simple.

If you haven't already done so, take a look at this document

"Migrating Windows NT Server 4.0 Domains to Windows Server 2003 Active Directory"


georgecooldudeAuthor Commented:

Thanks for your help. You've cleared up alot of confusion.

I re-joined the computer to the new domain.

The strange thing is there is no record of the computer in DNS or WINS yet it can connect fairly quickly...
Why might this be?
Usually (!) thats caused by the LAN adapter properties on the workstation.

Take a look at this demo:


(If you have problems with the streaming media above, try the web-download http://tjworld.net/help/ee/Q_21211352a.wmv instead.

Note that the DNS suffix is set to the Active Directory DNS name.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
georgecooldudeAuthor Commented:
ok, thats interesting.

I guess this need to be changed on XP machines.

This has also helped me solve my NT problem!

Now WINS is getting the addresses registered.

Thanks for your help!

= - )           BIG SMILIE FACE!
georgecooldudeAuthor Commented:

Quick question. Is a 95 machine able to join a domain using the DSclient?
Ermm... I can't say its something I've ever tried (or wanted to) but I seem to recall something about the DSc Client working for 95/98 etc.
georgecooldudeAuthor Commented:
ok, well I'll give it a go =)

Seems to be working on windows 98... At least I think it is ;)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.