Guidlines and advice for Domain upgrade from NT4 to server 2008

i see alot of qustions here for upgrading the PDC/BDC's from NT4 to 2000/2003 but none for NT4 to 2008.
Can anyone advise on the procedure, is it the same as NT4 to 2003?

also can anyone point me in the direction of some good white papers on the steps needed as i am trying to draw up an action plan and want to leave no stone un covered!

i know its an impossible question to answer here so just any advice and links will be appreciated!


i will be using new hardware for all the PDC/BDC's
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:


You cannot upgrade directly from NT4 to 2008 I'm afraid. You will have to upgrade to Windows 2000 or 2003. Then you can upgrade to 2008 after that.

Do you need instructions for the upgrade to 2000 / 2003?


meteorelecAuthor Commented:
i was thinking that was why i could get no info!!

if you can pass on any info for 2003 that would be great !
Chris DentPowerShell DeveloperCommented:

There's lots here about the process, I'm sure you've bumped into this already :)

Lets see what I can remember of the process (it's been quite a while). These are only going to be notes, it's a huge topic and likely to expand beyond anything I can fit in here. Do you have Exchange in there as well?

Install Windows NT onto the server you want to use to do the upgrade then make that a PDC. Make sure you patch it up as much as you can. Then you can pop in the Windows 2003 disk and off you go.

1. Preventing Disaster

A common trick for the upgrade is to add a BDC to the NT Domain, then disconnect it from the network, turn it off and hide it in a cupboard.

That's our way back in case things don't go to plan :)

2. Offline Upgrade

Now when it comes to upgrading the PDC you'll probably be better served having it taken off the network. You'll still need a network connection for the server (NIC must be online), so a switch or hub without any other connections.

Again this protects us if things go a little bit wrong. If it works, plug it back in.

In the meantime you won't be able to change passwords and such because you'll only have BDCs on the network.

3. Domain Naming

During installation of AD you'll get to choose a DNS Domain Name for your network.

DNS is extremely important to AD Domains (from 2000 to 2008), and it's a pain in the backside to change later. Getting it right at the stage takes away potential pain later.

Which name you eventually go with is up to you, here are the options. I personally favour either b or c. They give you more freedom and don't constrain your network at all.

a. A Public Domain Name:


If your company has a public domain name you can use this here. Can make accessing your companies websites and services more difficult.

b. A Sub Domain of a Public Domain Name


This one is a useful one. It keeps things out of the way and gives you a greater degree of freedom than using the main domain.

c. A Private Domain

e.g. company.local

As with the sub-domain this keeps everything nice and out of the way. Apple Macs are known to suffer a little with the .local suffix (because they use it themselves).

4. TCP/IP Settings

Hopefully by now the upgrade has completed and your NT Domain has become an AD Domain. Your BDCs shouldn't notice any difference.

Above I mentioned the importance of DNS. Make sure that all your clients and servers *only* use AD DNS Servers in their TCP/IP configuration.

Using third party DNS servers will cause horrible problems trying to log onto the domain. I mention it explicitly because it has to be one of the most popular questions on here.

5. Getting Rid of the BDCs

If you're happy with the new domain, add some more Domain Controllers and get rid of the BDCs.

You should ensure you have more than one DNS Server. And you should make sure you have more than one Global Catalog available.

Do you have a lot of Domain Controllers? If you have anything below 10 I'd strongly recommend making all of your Domain Controllers Global Catalog. This is done through AD Sites and Services.

Once all the BDCs are gone you should raise the Functional Level of both the Forest and Domain to Native. Ideally 2003 Native if you only have 2003 Domain Controllers.

Upgrading to 2008 after this is really easy. Do you want to continue onto that one?

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

meteorelecAuthor Commented:
would it not be possible to have a new domain eg the new PDC on server 2008 and migrate all our server s , pcs etc to this new domain one at a time, and setup all from scratch!

as really there is nothing from the old domain i want to carry onto the new domain!

and this way i also have the peace of mind that i can resort to the old domain in the event of failure!

Chris DentPowerShell DeveloperCommented:

Sure, that would be much easier approach. :)

I'm not sure you'll get Windows 2008 to Trust an NT 4 Domain. Tentatively possible, but NT is so far out of support. Did you want to use ADMT? Or just going for the brute force method?


meteorelecAuthor Commented:
the biggest part of our current domain is a thin client enviorment, so really i am only chatting about adding 20 pc's to the new domain along with our servers, user wise i want to scrap everything and start from scratch as it was never setup right initially so why bother taking over old problems , and as far as email goes i can get all users to archive completly to .pst -  so brute force it is then!

which should mean i dont need a trust between the 2 domains ??
Chris DentPowerShell DeveloperCommented:

In case you wanted to migrate which would allow you to maintain Security Identifiers and make migrating PCs a lot easier.

However, if there are only 20 it's not going to be too arduous :)

meteorelecAuthor Commented:
so just to clarify !

1. i can create a new PDC and BDC on server 2008
2. i need no trust between this domain and our current domain
3. it will be possible to have both domains on the one IP range (any issue here?)
4. i will now be able to add pc's servers one at a time to the new domain, but keep          them on the old domain until i am ready for full switch over
5. i can open exchange 5.5 .pst files in exchange 2007
6. after i have all systems on the new domain i can leave the old domain up as a fall back
Chris DentPowerShell DeveloperCommented:

1. The roles aren't split like that anymore (PDC / BDC).

You can have a standard Domain Controller and a Read Only Domain Controller (which you couldn't previously have with 2000 / 2003). RODCs are generally intended for branch site deployment where you can't be as confident of physical security.

RODCs are very different from BDCs. I wouldn't bother installing a DC as Read Only unless you have a particular need for one.

Beyond that everything is multi-master (instead of NT's Master / Slave) with the exception of the FSMO (Flexible Single Master Operations) Roles which live on a single Server.

2. Not if you don't want to migrate things and are just going for brute force :)

3. That will be absolutely fine. It would probably be a good idea to use a different NetBIOS Domain Name for the new 2008 domain (it will have that in addition to the DNS Domain Name).

4. Yep.

However, conversing between old domain and new won't work well without a Trust in case you're moving File Servers first.

5. You can use the Import-Mailbox cmdlet in the Exchange Management Shell to drag in PST Files (or import them using the Outlook client).

It carries a few requirements. You'll need a 32-bit Operating System with Outlook installed to use it (Exchange 2007 is 64-bit natively).

Personally I run a Windows XP virtual machine (VMWare Server) with the Exchange Administrative Tools.

If you're importing PST Files I strongly recommend you run outlook with:

"C:\Program Files\Microsoft Office\Office11\Outlook.exe" /CleanFreeBusy /ResetFolders

Office11 is Office 2003, replace with a path more appropriate to your users.

6. Yes, but it would be a manual move back for the workstations.

Generally speaking it's easier to bite the bullet and work through any issues.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
meteorelecAuthor Commented:

with regards to the FSMO roles, would it be bad practice to assign these all to one standalone domain controller, and then use the new exchange 2007 server also as a dc? - i know microsoft advise against using exchange as a dc but there seems to be alot of cases were people use to good effect! not to mention saving on hardware
Chris DentPowerShell DeveloperCommented:

Having them all on one server is fine. It's very common in small businesses. Just make sure all of your Domain Controllers are set as Global Catalogs if you only have a couple.

Making Exchange a DC does make restoring the Exchange Server quite a bit more complex, and it will degrade performance (important if you have a lot of users, not so if you only have a few).

Just remember to make it a DC and finish off that bit prior to installing Exchange. You won't be able to promote / demote it after Exchange is installed (at least not without a high chance of breaking things).

meteorelecAuthor Commented:
we would have approx 80 exchange users -- is that still in the small enough bracket so not to worry about degrading performance
Chris DentPowerShell DeveloperCommented:

Pretty much, yes :)

If the company is expecting to grow at all it would be worth investing in a second DC (a 1U cheap server from Dell would work with Server 2003 Standard). Just keeps things as simple as possible (which we like a lot :)).

meteorelecAuthor Commented:
ok 1 last question lol!

no issue with a 2008 dc and a 2003 dc?
Chris DentPowerShell DeveloperCommented:

A few considerations, no issues :)

If you install the Domain as Windows 2003 you'll need to upgrade Active Directory so it can take 2008 DCs with three commands:

adprep /forestprep
adprep /domainprep
adprep /gpprep

They all hide on the Windows 2008 DVD under the Sources folder.

You should check your Functional Levels for the Domain and Forest. If you never intend to have Windows 2000 DCs make it Windows 2003 Native Mode. No point in lower really.

Don't make it higher than that, it's not reversible :)

meteorelecAuthor Commented:
but would it be simpler with 2 2008 DC servers ?

would i loss any of the extra functionality of 2008 server if i added a 2003 dc to the equation?
Chris DentPowerShell DeveloperCommented:

Simpler.... probably not :)

And the reason it's not simpler is if you can run in Windows 2008 Native mode you open up a fair bit of functionality. Perhaps most notably Fine Grained Password Policies.

Then there's changes to the availability of LastLogon information, DFS and a few Kerberos changes.

I'd give you more detail, but my internet connection is really crappy and I can't get to the MS articles ;)

I would certainly be tempted to install a pure 2008 domain if I could. It seems a shame to still be installing Windows 2003 after so many years. The only thing that makes me hesitate is that it's still fairly early days for Windows 2008, makes finding solutions for issues a little more tricky.

meteorelecAuthor Commented:
i think for us as a small business (120 users) it would be best to maximise our long term strategys by going with 2008 domain now that we have the opportunity to upgrade, as i dont want to be saying in a year or 2's  time we could of been doing this and that if we had a 2008 domain! tho im sure we will have alot of work on our hands ! you arnt free for a couple of weeks ? lol

thanks chris that ended up being alot of questions and im sure i will have plenty mor down the road!!
Chris DentPowerShell DeveloperCommented:

That's no problem, I'm sure you'll have fun with Windows 2008. Always fun when there's lots to learn :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.