asked on

SAM database transfer methods: Advice needed for NT4 to W2K3 Upgrade

We are a 500-user NT 4.0 domain managing accounts for 4 connected sites. Our parent company has moved to W2K3 with Active Directory, and has created a new forest structure where all affiliate sites must be joined to their domain.

We have our own NT4 PDC, which will be decommissioned, and a new server for our W2K3 domain controller with AD. Our main concern is ensuring our 500 user and computer accounts along with their security profiles (group memberhsips, file & share permissions, passwords, etc.) are brought over to the new server with everything intact.

Everyone around me is talking about doing an NT4-to-W2K3 account migration using the ADMT tool to accomplish our task, but I watched a few Microsoft Webcasts on this topic and one of the methods presented for migrating an NT 4.0 environment to W2K3 AD is to install NT4 on your NEW server, configure it as a BDC so a copy of the SAM will replicate to it from your existing NT4 PDC, then take your existing NT PDC off the network and promote the new server to an NT PDC.

Now youve got all your user accounts and their security profiles on the new serverno migration necessary the way I understand it. From there you would upgrade the new server to W2K3 Server, run DCPROMO, add it to the new domain and configure AD.

Do you see anything wrong with this method? Has anyone tried this? Any input would be appreciated, whether lessons learned from those who have tried it, or reasons why this is or is not the best path in our situation.

LauraEHunterMVP

> "I watched a few Microsoft Webcasts on this topic and one of the methods presented for migrating an NT 4.0 environment to W2K3 AD is to install NT4 on your NEW server, configure it as a BDC so a copy of the SAM will replicate to it from your existing NT4 PDC, then take your existing NT PDC off the network and promote the new server to an NT PDC."

This presumes that you are migrating your NT environment into a brand-new Active Directory environment. If your parent company has already created an Active Directory forest that you are now being instructed to join, you will need to perform a migration using ADMT or a paid third-party tool like someone from Quest.

Lee W, MVP

I agree. I LOVE the upgrade migration method and recommend it whenever possible. But if you're parent company's in charge, then it sounds like that won't be an option for you.

robwhite64

ASKER

Yes, we'll be joining a new AD domain. My thought process was that we could pull our current NT PDC off the network before promoting the new NT server to a PDC (so it will have rights on the SAM.) Then we could upgrade the new NT server to W2K3, run DCPROMO so Active Directory picks up all the account data from the SAM, and then bring the current NT PDC back on to the network. There would be a brief period of downtime on our current domain; namely the time it takes to upgrade the new server, promote it to a DC with AD, and then the time it takes for the user/computer account info to populate AD.

When the new server is configured it would be joined to the new domain and our current domain would continue to run off the NT PDC until we're ready for the switchover.

Why wouldn't this work if we did it this way?

LauraEHunterMVP

We need to be precise here: are you joining a new Active Directory domain, meaning that you, yourself, will be creating this domain from scratch? Or are you joining to an Active Directory domain that has already been created by your parent company.

If the latter, then it is not a "new" domain, per se, as it is already in existence and separate from your current environment (even though it is "new" to you). If this is the case, your only option is to migrate.

robwhite64

ASKER

"We are a 500-user NT 4.0 domain managing accounts for 4 connected sites. Our parent company has moved to W2K3 with Active Directory, and has created a new forest structure where all affiliate sites must be joined to their domain."

Laura, we'll be joining the parent company's domain as I stated in my original question, which is new to us.

Can you or LeeW (or anyone) explain to me why it's not possible to use the upgrade method in this case?

ASKER CERTIFIED SOLUTION

LauraEHunterMVP

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

robwhite64

ASKER

Thanks Laura and LeeW for your speedy responses.

robwhite64

ASKER

After accepting a solution I thought of this idea and wanted to toss it out.

What if instead of running DCPROMO on the new W2K3 server, I ran the Active Directory Installation Wizard and chose "Select Additional domain controller for an existing domain." Couldn't I join the new W2K3 server to the parent company's domain at this point and achieve my goal of having a domain controller that contains the NT4 SAM database in Active Directory?

LauraEHunterMVP

Nope. Adding an additional DC to the parent.local domain will cause that DC to contain the information for the parent.local domain; any existing account information will not be retained. Migration is your only option here.

robwhite64

ASKER

See the link for the process I'm referring to. You still have to run DCPROMO but you run it with a switch of /adv.

http://technet2.microsoft.com/windowsserver/en/library/87e58caa-b7f1-4c72-9c5c-b478aa53fc361033.mspx?mfr=true

LauraEHunterMVP

My original comment stands - migration is your only available option in the scenario that you have described.

robwhite64

ASKER

Laura,
I posted the link above before your response showed up.

So when I joined the new server to the parent domain, the data that had replicated to it from the NT PDC would be lost? Bummer.

Thanks again.