Solved

Move Domain users / machines and DHCP from old NT server to 2003 server

Posted on 2010-09-10
17
454 Views
Last Modified: 2013-12-23
We have an old Windows NT server box that now has nothing on it except - it is the domain controller for one domain and it is the DHCP server for that network segment.  I would like to move those 2 functions off of that box and decommission it.

I have a newer server that has 2003 Enterprise server installed and is in use for some other things. I would like to make that the primary domain controller and move all the users over (copy/ move so I do not have to recreate all the users and reestablish the trust relationships between machines). Ditto the DHCP, turn that option on and move all the current leases and reservations over.

Can this be done so I do not have to recreate or redo anything?  If so, how?

Thanks
0
Comment
Question by:dlwynne
  • 8
  • 7
  • 2
17 Comments
 
LVL 2

Expert Comment

by:twichert
ID: 33647012
You will need to promote the 2003 server to the domain controller for that domain with NT 4.0 compatibility, then promote it to the PDC.  Part of the process will require ADPREP to be run to prepare the active directory for hosting a 2003 domain controller.  You will then need to configure the DHCP service on it for that network segment.  You will then need to turn off DHCP service on the NT 4.0 domain controller and demote it from domain controller status.  Finally, authorize and activate the DHCP scope on the 2003 domain controller.  Additionally, you can then raise the forest and domain functional levels to 2003.

The tricky part is that you cannot move DHCP leases from the NT4.0 machine to the 2003 machine, but Windows does perform gratuitous ARP, and this should allow the 2003 machine to take over DHCP without too many IP conflicts occurring.

Let me know if you have any further questions.
0
 
LVL 5

Expert Comment

by:swap_101982
ID: 33647672
Might be this will help you for your part to move your DHCP Database from NT4.0 to Windows 2003
0
 
LVL 5

Expert Comment

by:swap_101982
ID: 33647693
You can use ADMT for your User Migration

You can use the ADMT to migrate users, groups, and computers from one domain to another, and to analyze the migration impact before and after the actual migration process. Make sure that you run ADMT from the primary domain controller (PDC) that is the Flexible Single Master Operation (FSMO) role holder in the target domain.

http://www.petri.co.il/active_directory_migration_tool_usage_nt_windows_2003.htm
0
 
LVL 2

Accepted Solution

by:
twichert earned 500 total points
ID: 33655537
You really do not want to use the ADMT tool unless you are migrating to a new domain.  As I understand it, you wish to keep the same domain so that you do not need to recreate all the trust relationships, etc.  If that is the case, then you'll want to perform the steps I outlined.

Apparently there IS a way to move the DHCP leases database from NT 4.0 to 2003 in MS KB 325473.

http://support.microsoft.com/kb/325473/
0
 

Author Comment

by:dlwynne
ID: 33656482
"As I understand it, you wish to keep the same domain so that you do not need to recreate all the trust relationships, etc"

Thanks, that is correct. I do not want to have to re-join or do anything else, just have the same domain  now controlled by the newer 2003 server and the NT box is off. Ditto the DHCP.

I found this TechNet article, which looks similar to the DHCP link you posted;

http://technet.microsoft.com/en-us/library/cc781522.aspx
0
 
LVL 2

Expert Comment

by:twichert
ID: 33663932
Anything else I can do to help dlwynne?
0
 

Author Comment

by:dlwynne
ID: 33663967
I am going to try it today or Tuesday, as soon as I put some new fires out. I will report back with my success or lack thereof :-)
0
 
LVL 2

Expert Comment

by:twichert
ID: 33665419
Sounds good dlwynne.  If you need any more help on this, I'll be around.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dlwynne
ID: 33686907
I got the DHCP moved without a problem. I used the how to you linked to

http://support.microsoft.com/kb/325473/

I was trying to follow a similar how to for moving the domain

http://support.microsoft.com/kb/555549

But the very first link is bad

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

Do you have a step by step guide of what I need to do?

From your reply it looks like I need to do this:

1) Make the new 2003 server a domain controller in the old domain (secondary controller) ?
2) Promote it to the primary controller which demotes the old NT box?
3) Remove the old NT box from the domain?

Somewhere  along the way I need to run ADPREP and do some other steps?

Thanks

0
 

Assisted Solution

by:dlwynne
dlwynne earned 0 total points
ID: 33687407
I get an error trying to find the old NT domain when trying to make the 2003 server an "additional domain controller on an existing domain". I give it the admin user name and password for the NT domain and the NT domain name and it returns the error "Active directory domain controller for the domain ___ could not be found".

Based on what I see here:

http://www.networkclue.com/os/Windows/server/nt-2003-migration.aspx

and here

http://support.microsoft.com/kb/326209/en-us

it looks like you can't go from NT to 2003 as you proposed...


0
 
LVL 2

Expert Comment

by:twichert
ID: 33691830
You are absolutely right.

I was sure I'd migrated from NT 4 to 2003 before and kept the whole domain intact.  Turns out I did perform that migration, but I was remembering the path wrong.  There is a way to do it, but it requires two domain controllers.  You will need an NT 4.0 PDC and BDC. If you have that requirement met, the you can run the upgrade path documented here:

http://www.networkclue.com/os/Windows/server/nt-2003-migration.aspx

Otherwise, you'll need to use the ADMT tool.

Sorry 'bout that.
0
 

Author Comment

by:dlwynne
ID: 33701192
Can I mix 2003 x64 and 2003 r2 32 bit domain controllers as primary and secondary (to do the update) ?

I have the test box on NT server as the PDC and need to upgrade it.  The final, real PDC is running 2003 (non R2) 64 bit enterprise. I have a spare license of 2003 R2 32 bit I can use to upgrade the NT box.  Is that OK?  I can't anything online that says that you can't mix R2 and non-R2 2003 servers (or 64 and 32 bit) as primary and backup domain controllers on the same domain.

Thanks
0
 

Author Comment

by:dlwynne
ID: 33744821
I have the PDC moved to the 2003 server and the BDC is on the old NT box.  I am getting a lot of errors on machines in the domain, like these:



Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1053
Date:            9/23/2010
Time:            9:33:27 AM
User:            NT AUTHORITY\SYSTEM
Computer:      POWEREDGE
Description:
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      SRMSVC
Event Category:      None
Event ID:      12317
Date:            9/23/2010
Time:            8:55:21 AM
User:            N/A
Computer:      POWEREDGE
Description:
File Server Resource Manager failed to enumerate share paths or DFS paths.  Mappings from local file paths to share and DFS paths may be incomplete or temporarily unavailable.  FSRM will retry the operation at a later time.

Error-specific details:
   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 50 4d 43 41 43 48 45 43   PMCACHEC
0008: 38 33 33 00 00 00 00 00   833.....
0010: 50 4d 43 41 43 48 45 43   PMCACHEC
0018: 37 33 38 00 00 00 00 00   738.....


 
 
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5790
Date:  9/23/2010
Time:  9:18:56 AM
User:  N/A
Computer: POWEREDGE
Description:
No suitable Domain Controller is available for domain INFOLINK. An NT4 or older domain controller is available but it cannot be used for authentication purposes in the Windows 2000 or newer domain that this computer is a member of. The following error occurred:
There are currently no logon servers available to service the logon request.
 
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5790
Date:  9/23/2010
Time:  9:18:56 AM
User:  N/A
Computer: POWEREDGE
Description:
No suitable Domain Controller is available for domain INFOLINK. An NT4 or older domain controller is available but it cannot be used for authentication purposes in the Windows 2000 or newer domain that this computer is a member of. The following error occurred:
There are currently no logon servers available to service the logon request.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    
   

 
 
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  9/23/2010
Time:  8:55:21 AM
User:  N/A
Computer: POWEREDGE
Description:
The Security System detected an authentication error for the server cifs/EISWIN.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0  
0
 
LVL 2

Expert Comment

by:twichert
ID: 33746829
Yes, you can mix architectures.  AD doesn't care.
0
 
LVL 2

Expert Comment

by:twichert
ID: 33746839
What forest and domain functional levels does the 2003 domain controller believe AD is currently set to?
0
 

Author Comment

by:dlwynne
ID: 33790966
It shows the new name.domain.com I set up and under pre-Windows 2000 it shows the old domain name.

It does say Domain and Forrest functional levels are "Windows Server 2003  Interim"

Under users and computers it shows all the user and machine we had before and  under  domain controllers shows the new 2003 box and the old NT box.

Even though this machine and user (for example) are shown the even log has:

The session setup from the computer ADAMXP failed to authenticate. The name(s) of the account(s) referenced in the security database is ADAMXP$.  The following error occurred:
Access is denied.
0
 

Author Comment

by:dlwynne
ID: 33841771
OK, I think I have everything working now.

I had to remove the old NT box from the domain and upgrade the domain and forest to non-interim Windows Server 2003 and some other changes.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now