Solved

Guidlines and advice for Domain upgrade from NT4 to server 2008

Posted on 2008-06-24
19
1,776 Views
Last Modified: 2013-12-23
i see alot of qustions here for upgrading the PDC/BDC's from NT4 to 2000/2003 but none for NT4 to 2008.
Can anyone advise on the procedure, is it the same as NT4 to 2003?

also can anyone point me in the direction of some good white papers on the steps needed as i am trying to draw up an action plan and want to leave no stone un covered!

i know its an impossible question to answer here so just any advice and links will be appreciated!

ps

i will be using new hardware for all the PDC/BDC's
0
Comment
Question by:meteorelec
  • 10
  • 9
19 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21855381

Hey,

You cannot upgrade directly from NT4 to 2008 I'm afraid. You will have to upgrade to Windows 2000 or 2003. Then you can upgrade to 2008 after that.

Do you need instructions for the upgrade to 2000 / 2003?

Chris

0
 
LVL 2

Author Comment

by:meteorelec
ID: 21855504
i was thinking that was why i could get no info!!

if you can pass on any info for 2003 that would be great !
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21855863

There's lots here about the process, I'm sure you've bumped into this already :)

http://www.microsoft.com/windowsserver2003/upgrading/nt4/default.mspx

Lets see what I can remember of the process (it's been quite a while). These are only going to be notes, it's a huge topic and likely to expand beyond anything I can fit in here. Do you have Exchange in there as well?

Install Windows NT onto the server you want to use to do the upgrade then make that a PDC. Make sure you patch it up as much as you can. Then you can pop in the Windows 2003 disk and off you go.

1. Preventing Disaster

A common trick for the upgrade is to add a BDC to the NT Domain, then disconnect it from the network, turn it off and hide it in a cupboard.

That's our way back in case things don't go to plan :)

2. Offline Upgrade

Now when it comes to upgrading the PDC you'll probably be better served having it taken off the network. You'll still need a network connection for the server (NIC must be online), so a switch or hub without any other connections.

Again this protects us if things go a little bit wrong. If it works, plug it back in.

In the meantime you won't be able to change passwords and such because you'll only have BDCs on the network.

3. Domain Naming

During installation of AD you'll get to choose a DNS Domain Name for your network.

DNS is extremely important to AD Domains (from 2000 to 2008), and it's a pain in the backside to change later. Getting it right at the stage takes away potential pain later.

Which name you eventually go with is up to you, here are the options. I personally favour either b or c. They give you more freedom and don't constrain your network at all.

a. A Public Domain Name:

e.g. company.com

If your company has a public domain name you can use this here. Can make accessing your companies websites and services more difficult.

b. A Sub Domain of a Public Domain Name

e.g. corp.company.com

This one is a useful one. It keeps things out of the way and gives you a greater degree of freedom than using the main domain.

c. A Private Domain

e.g. company.local

As with the sub-domain this keeps everything nice and out of the way. Apple Macs are known to suffer a little with the .local suffix (because they use it themselves).

4. TCP/IP Settings

Hopefully by now the upgrade has completed and your NT Domain has become an AD Domain. Your BDCs shouldn't notice any difference.

Above I mentioned the importance of DNS. Make sure that all your clients and servers *only* use AD DNS Servers in their TCP/IP configuration.

Using third party DNS servers will cause horrible problems trying to log onto the domain. I mention it explicitly because it has to be one of the most popular questions on here.

5. Getting Rid of the BDCs

If you're happy with the new domain, add some more Domain Controllers and get rid of the BDCs.

You should ensure you have more than one DNS Server. And you should make sure you have more than one Global Catalog available.

Do you have a lot of Domain Controllers? If you have anything below 10 I'd strongly recommend making all of your Domain Controllers Global Catalog. This is done through AD Sites and Services.

Once all the BDCs are gone you should raise the Functional Level of both the Forest and Domain to Native. Ideally 2003 Native if you only have 2003 Domain Controllers.

Upgrading to 2008 after this is really easy. Do you want to continue onto that one?

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21856680
Chris,
would it not be possible to have a new domain eg the new PDC on server 2008 and migrate all our server s , pcs etc to this new domain one at a time, and setup all from scratch!

as really there is nothing from the old domain i want to carry onto the new domain!

and this way i also have the peace of mind that i can resort to the old domain in the event of failure!

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21856796

Sure, that would be much easier approach. :)

I'm not sure you'll get Windows 2008 to Trust an NT 4 Domain. Tentatively possible, but NT is so far out of support. Did you want to use ADMT? Or just going for the brute force method?

Chris

0
 
LVL 2

Author Comment

by:meteorelec
ID: 21856900
the biggest part of our current domain is a thin client enviorment, so really i am only chatting about adding 20 pc's to the new domain along with our servers, user wise i want to scrap everything and start from scratch as it was never setup right initially so why bother taking over old problems , and as far as email goes i can get all users to archive completly to .pst -  so brute force it is then!

which should mean i dont need a trust between the 2 domains ??
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21856968

In case you wanted to migrate which would allow you to maintain Security Identifiers and make migrating PCs a lot easier.

However, if there are only 20 it's not going to be too arduous :)

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21857116
so just to clarify !

1. i can create a new PDC and BDC on server 2008
2. i need no trust between this domain and our current domain
3. it will be possible to have both domains on the one IP range (any issue here?)
4. i will now be able to add pc's servers one at a time to the new domain, but keep          them on the old domain until i am ready for full switch over
5. i can open exchange 5.5 .pst files in exchange 2007
6. after i have all systems on the new domain i can leave the old domain up as a fall back
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21857236

1. The roles aren't split like that anymore (PDC / BDC).

You can have a standard Domain Controller and a Read Only Domain Controller (which you couldn't previously have with 2000 / 2003). RODCs are generally intended for branch site deployment where you can't be as confident of physical security.

RODCs are very different from BDCs. I wouldn't bother installing a DC as Read Only unless you have a particular need for one.

Beyond that everything is multi-master (instead of NT's Master / Slave) with the exception of the FSMO (Flexible Single Master Operations) Roles which live on a single Server.

2. Not if you don't want to migrate things and are just going for brute force :)

3. That will be absolutely fine. It would probably be a good idea to use a different NetBIOS Domain Name for the new 2008 domain (it will have that in addition to the DNS Domain Name).

4. Yep.

However, conversing between old domain and new won't work well without a Trust in case you're moving File Servers first.

5. You can use the Import-Mailbox cmdlet in the Exchange Management Shell to drag in PST Files (or import them using the Outlook client).

It carries a few requirements. You'll need a 32-bit Operating System with Outlook installed to use it (Exchange 2007 is 64-bit natively).

Personally I run a Windows XP virtual machine (VMWare Server) with the Exchange Administrative Tools.

If you're importing PST Files I strongly recommend you run outlook with:

"C:\Program Files\Microsoft Office\Office11\Outlook.exe" /CleanFreeBusy /ResetFolders

Office11 is Office 2003, replace with a path more appropriate to your users.

6. Yes, but it would be a manual move back for the workstations.

Generally speaking it's easier to bite the bullet and work through any issues.

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21863428
Chris

with regards to the FSMO roles, would it be bad practice to assign these all to one standalone domain controller, and then use the new exchange 2007 server also as a dc? - i know microsoft advise against using exchange as a dc but there seems to be alot of cases were people use to good effect! not to mention saving on hardware
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21863510

Having them all on one server is fine. It's very common in small businesses. Just make sure all of your Domain Controllers are set as Global Catalogs if you only have a couple.

Making Exchange a DC does make restoring the Exchange Server quite a bit more complex, and it will degrade performance (important if you have a lot of users, not so if you only have a few).

Just remember to make it a DC and finish off that bit prior to installing Exchange. You won't be able to promote / demote it after Exchange is installed (at least not without a high chance of breaking things).

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21863554
we would have approx 80 exchange users -- is that still in the small enough bracket so not to worry about degrading performance
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21863581

Pretty much, yes :)

If the company is expecting to grow at all it would be worth investing in a second DC (a 1U cheap server from Dell would work with Server 2003 Standard). Just keeps things as simple as possible (which we like a lot :)).

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21863686
ok 1 last question lol!

no issue with a 2008 dc and a 2003 dc?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21863776

A few considerations, no issues :)

If you install the Domain as Windows 2003 you'll need to upgrade Active Directory so it can take 2008 DCs with three commands:

adprep /forestprep
adprep /domainprep
adprep /gpprep

They all hide on the Windows 2008 DVD under the Sources folder.

You should check your Functional Levels for the Domain and Forest. If you never intend to have Windows 2000 DCs make it Windows 2003 Native Mode. No point in lower really.

Don't make it higher than that, it's not reversible :)

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21864500
but would it be simpler with 2 2008 DC servers ?

would i loss any of the extra functionality of 2008 server if i added a 2003 dc to the equation?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21864604

Simpler.... probably not :)

And the reason it's not simpler is if you can run in Windows 2008 Native mode you open up a fair bit of functionality. Perhaps most notably Fine Grained Password Policies.

http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true

Then there's changes to the availability of LastLogon information, DFS and a few Kerberos changes.

I'd give you more detail, but my internet connection is really crappy and I can't get to the MS articles ;)

I would certainly be tempted to install a pure 2008 domain if I could. It seems a shame to still be installing Windows 2003 after so many years. The only thing that makes me hesitate is that it's still fairly early days for Windows 2008, makes finding solutions for issues a little more tricky.

Chris
0
 
LVL 2

Author Comment

by:meteorelec
ID: 21864715
i think for us as a small business (120 users) it would be best to maximise our long term strategys by going with 2008 domain now that we have the opportunity to upgrade, as i dont want to be saying in a year or 2's  time we could of been doing this and that if we had a 2008 domain! tho im sure we will have alot of work on our hands ! you arnt free for a couple of weeks ? lol

thanks chris that ended up being alot of questions and im sure i will have plenty mor down the road!!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21864769

That's no problem, I'm sure you'll have fun with Windows 2008. Always fun when there's lots to learn :)

Chris
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now