[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 508
  • Last Modified:

PDC Emulator role. Transfer from NT server to 2003

I have an NT domain. I had to rename it so i could use the ADMTv2 tool to migrate some stuff to my new windows 2003 domain.

Now my old clients can't connect without a domain rejoin. The 2003 domain is the same name as the original NT domain was named.

Now i can create a new NT PDC to transfer the PDC emulator role accross. Basically I want to have a PDC emulator on my 2003 server so the old clients dont have to rejoin the domain. I dont care about rejoining the 2000 and XP machines to the domain as we only have a few.

How can I do this?
0
georgecooldude
Asked:
georgecooldude
  • 9
  • 6
2 Solutions
 
Chris DentPowerShell DeveloperCommented:

The PDC Emulator isn't actually the PDC as you know it in Windows NT. While it performs the functions of the old PDC, it has some additional tasks.

This role cannot be transferred to or from an NT machine and an NT PDC cannot exist on a Windows 200x network. The PDC Emulator itself will of course exist already on the 200x domain.

Beyond that, I'm not quite sure what you mean.

Here's the relevant Microsoft text on it:

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows 2000 domain, the PDC emulator role holder retains the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.  
• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.  
• Account lockout is processed on the PDC emulator.  
• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment.

The following information describes the changes that occur during the upgrade process:

• Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.  
• Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests.  
• Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.  
0
 
georgecooldudeAuthor Commented:
Does a Domain have a SID or GUID? I'll assume it has a GUID???


I currently have a PDC emulator in my 2003 server. Except as this domain was created from scratch it has a new GUID. So my PDC emulator must have the new GUID to reflect this.

Now my legacy systems when they connect are looking for <ourdomain> which has the old GUID.
My 2003 server has the same domain name in the PDC emulator but I think the GUID is different as this domain was rebuilt.

I need to somehow inport a new GUID or something so the clients think that the PDC emulator is the correct one and not infact a rebuild domain?

Is this clear? I'm a bit confusied on the subject.
0
 
WeHeCommented:
Your clients MUST rejoin the domain. It's a new domain (with different SID).
Even if you name it the same as your old domain, you must rejoin them.

The NT-PDC' role cant be transfered to another domain, each W2K3 Domain has allready a own PDC-Emulator.
Anyways, a PDC (Emulator) Role can not be transfered from an NT Domain to a W2K3 domain.

You must rejoin all clients into the new domain.
Only way, to not need to rejoin, would be to upgrade the NT-Domain, not to migrate it into a new.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
georgecooldudeAuthor Commented:
erm,

Currently the legacy systems connect to <Ourcompanydomain>\<username>

The new PDC emulator  is part of the same domain name that was built from scratch <Ourcompanydomain>\<username>

So in human form this is the same. but in computer form the company domain must have some sort of different GUID or something. I would like to change this by transferring the role so i dont have to reconnect my legacy systems.

If at all possible.
0
 
georgecooldudeAuthor Commented:
[quote=WeHe]

>>The NT-PDC' role cant be transfered to another domain, each W2K3 Domain has allready a own PDC-Emulator.
>>Anyways, a PDC (Emulator) Role can not be transfered from an NT Domain to a W2K3 domain.

Why is this? I thought it was possible from other sources I have read
0
 
Chris DentPowerShell DeveloperCommented:

I'm not sure you can change the identifier for the domain.

A lot of the Microsoft Documentation on this type of domain rebuild suggests the NetDom tool, but you've experimented with that before I think.

I'm not sure if it'll help at all but this is the Microsoft section which details a number of different migration strategies.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp4.mspx#EBAA
0
 
Chris DentPowerShell DeveloperCommented:

>> The NT-PDC' role cant be transfered to another domain, each W2K3 Domain has
>> allready a own PDC-Emulator.
>> Anyways, a PDC (Emulator) Role can not be transfered from an NT Domain to a
>> W2K3 domain.

> Why is this? I thought it was possible from other sources I have read

The PDC Emulator role does not exist on the Windows NT Network, equally the PDC Role does not exist on Windows 200x networks.

There isn't a upgrade path where the role is transferred, except with an in-place upgrade. But strictly speaking that isn't a role transferral.
0
 
georgecooldudeAuthor Commented:
Maybe its possible to remove the PDC emulator role? And then transfer if from an PDC back to the windows 2003 domain?

Thanks for the link. I'll take a look at it.
0
 
georgecooldudeAuthor Commented:
Maybe its possible to change the domain SID via the registry or something?

Is there a way i can setup my PDC emulator to accept logon requests from anyone wanting to connect to a certain domain or SID?

Does any sort of domain SID history exist?
0
 
georgecooldudeAuthor Commented:
Chris sorry I just noticed your post above at 12.34pm


>>There isn't a upgrade path where the role is transferred, except with an in-place upgrade. But strictly speaking that isn't a
>>role transferral.


Someone suggested to me that if I upgrade my NT PDC to 2003. Then replicate the changes to my new 2003 server and remove the original NT PDC that had been upgraded. the clients would not need to reconnect? Is this true?

0
 
Chris DentPowerShell DeveloperCommented:

Yes, that's true.

Just to confirm you would have:

1. Upgrade NT PDC to Windows 2003 - This will upgrade the domain to Active Directory pulling across all the SID Histories, computer account, user accounts, etc

2. Join the new 2003 Server to the domain as a second Domain Controller

3. Transfer all the FSMO Roles, DNS, Global Catalog, etc etc to the new 2003 Server

4. Decommision / rebuild the upgraded NT PDC after running DCPromo to remove the DC from the domain.

That should be it.
0
 
georgecooldudeAuthor Commented:
yes that is what I had been advised.

Now I originally tryed this and it seemed quite hard. How hard is it to do?

Thats why I reverted to the ADMTv2 tool. Assume changing each client machines domain membership isnt a problem could I have missed anything critical by using the ADMTv2 tool?
0
 
Chris DentPowerShell DeveloperCommented:

It's not hard to do the in-place upgrade, just make sure you add a BDC to the domain, wait for replication then turn it off and stick it on a cupboard before you do it so there's always a way to back out.

You won't miss anything critical, just there's more administrative overhead for the migration. ADMT does make for a cleaner domain though.

0
 
georgecooldudeAuthor Commented:
How do you mean add a BDC to the domain? BTW this is all in a test network.

I will have 1 NT PDC (promted)
1 2003 server.

I will upgrade the NT to 2003 giving me 2 2003 machines.


Do I need to setup a trust relationship or anything?

0
 
georgecooldudeAuthor Commented:
If my testing goes correctly and i can move everything to other 2003 server, I then need to replicate it onto my final server.

Can I do unlimitde replications and demote old servers as i go along or could things get missed?
0
 
Chris DentPowerShell DeveloperCommented:

No trust relationships...

For the BDC thing (and the upgrade in general)...

1. Create a new NT Server as a BDC on the existing NT Network
2. Give it time to replicate
3. Turn off the BDC then put it aside - this gives you a copy of your NT domain and everything on it so if anything goes wrong you can promote it to a PDC and you have your network back
4. Upgrade the existing NT PDC to Windows 2003 with Active Directory
5. Join the Windows 2003 Server to this upgraded Domain and promote it to a Domain Controller
6. On the new server setup DNS, move the FSMO Roles and set Global Catalog
7. Run DCPromo on the upgraded NT machine to remove it from the domain for rebuild or decommision

This leaves you with your domain and all it's objects running on the new server under the same domain name as the old one. The old NT4 server can be rebuilt or thrown away depending on the plans for it.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now