Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Move Domain users / machines and DHCP from old NT server to 2003 server

Posted on 2010-09-10
17
Medium Priority
?
464 Views
Last Modified: 2013-12-23
We have an old Windows NT server box that now has nothing on it except - it is the domain controller for one domain and it is the DHCP server for that network segment.  I would like to move those 2 functions off of that box and decommission it.

I have a newer server that has 2003 Enterprise server installed and is in use for some other things. I would like to make that the primary domain controller and move all the users over (copy/ move so I do not have to recreate all the users and reestablish the trust relationships between machines). Ditto the DHCP, turn that option on and move all the current leases and reservations over.

Can this be done so I do not have to recreate or redo anything?  If so, how?

Thanks
0
Comment
Question by:dlwynne
  • 8
  • 7
  • 2
17 Comments
 
LVL 2

Expert Comment

by:twichert
ID: 33647012
You will need to promote the 2003 server to the domain controller for that domain with NT 4.0 compatibility, then promote it to the PDC.  Part of the process will require ADPREP to be run to prepare the active directory for hosting a 2003 domain controller.  You will then need to configure the DHCP service on it for that network segment.  You will then need to turn off DHCP service on the NT 4.0 domain controller and demote it from domain controller status.  Finally, authorize and activate the DHCP scope on the 2003 domain controller.  Additionally, you can then raise the forest and domain functional levels to 2003.

The tricky part is that you cannot move DHCP leases from the NT4.0 machine to the 2003 machine, but Windows does perform gratuitous ARP, and this should allow the 2003 machine to take over DHCP without too many IP conflicts occurring.

Let me know if you have any further questions.
0
 
LVL 5

Expert Comment

by:Swapnil Prajapati
ID: 33647672
Might be this will help you for your part to move your DHCP Database from NT4.0 to Windows 2003
0
 
LVL 5

Expert Comment

by:Swapnil Prajapati
ID: 33647693
You can use ADMT for your User Migration

You can use the ADMT to migrate users, groups, and computers from one domain to another, and to analyze the migration impact before and after the actual migration process. Make sure that you run ADMT from the primary domain controller (PDC) that is the Flexible Single Master Operation (FSMO) role holder in the target domain.

http://www.petri.co.il/active_directory_migration_tool_usage_nt_windows_2003.htm
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 2

Accepted Solution

by:
twichert earned 2000 total points
ID: 33655537
You really do not want to use the ADMT tool unless you are migrating to a new domain.  As I understand it, you wish to keep the same domain so that you do not need to recreate all the trust relationships, etc.  If that is the case, then you'll want to perform the steps I outlined.

Apparently there IS a way to move the DHCP leases database from NT 4.0 to 2003 in MS KB 325473.

http://support.microsoft.com/kb/325473/
0
 

Author Comment

by:dlwynne
ID: 33656482
"As I understand it, you wish to keep the same domain so that you do not need to recreate all the trust relationships, etc"

Thanks, that is correct. I do not want to have to re-join or do anything else, just have the same domain  now controlled by the newer 2003 server and the NT box is off. Ditto the DHCP.

I found this TechNet article, which looks similar to the DHCP link you posted;

http://technet.microsoft.com/en-us/library/cc781522.aspx
0
 
LVL 2

Expert Comment

by:twichert
ID: 33663932
Anything else I can do to help dlwynne?
0
 

Author Comment

by:dlwynne
ID: 33663967
I am going to try it today or Tuesday, as soon as I put some new fires out. I will report back with my success or lack thereof :-)
0
 
LVL 2

Expert Comment

by:twichert
ID: 33665419
Sounds good dlwynne.  If you need any more help on this, I'll be around.
0
 

Author Comment

by:dlwynne
ID: 33686907
I got the DHCP moved without a problem. I used the how to you linked to

http://support.microsoft.com/kb/325473/

I was trying to follow a similar how to for moving the domain

http://support.microsoft.com/kb/555549

But the very first link is bad

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

Do you have a step by step guide of what I need to do?

From your reply it looks like I need to do this:

1) Make the new 2003 server a domain controller in the old domain (secondary controller) ?
2) Promote it to the primary controller which demotes the old NT box?
3) Remove the old NT box from the domain?

Somewhere  along the way I need to run ADPREP and do some other steps?

Thanks

0
 

Assisted Solution

by:dlwynne
dlwynne earned 0 total points
ID: 33687407
I get an error trying to find the old NT domain when trying to make the 2003 server an "additional domain controller on an existing domain". I give it the admin user name and password for the NT domain and the NT domain name and it returns the error "Active directory domain controller for the domain ___ could not be found".

Based on what I see here:

http://www.networkclue.com/os/Windows/server/nt-2003-migration.aspx

and here

http://support.microsoft.com/kb/326209/en-us

it looks like you can't go from NT to 2003 as you proposed...


0
 
LVL 2

Expert Comment

by:twichert
ID: 33691830
You are absolutely right.

I was sure I'd migrated from NT 4 to 2003 before and kept the whole domain intact.  Turns out I did perform that migration, but I was remembering the path wrong.  There is a way to do it, but it requires two domain controllers.  You will need an NT 4.0 PDC and BDC. If you have that requirement met, the you can run the upgrade path documented here:

http://www.networkclue.com/os/Windows/server/nt-2003-migration.aspx

Otherwise, you'll need to use the ADMT tool.

Sorry 'bout that.
0
 

Author Comment

by:dlwynne
ID: 33701192
Can I mix 2003 x64 and 2003 r2 32 bit domain controllers as primary and secondary (to do the update) ?

I have the test box on NT server as the PDC and need to upgrade it.  The final, real PDC is running 2003 (non R2) 64 bit enterprise. I have a spare license of 2003 R2 32 bit I can use to upgrade the NT box.  Is that OK?  I can't anything online that says that you can't mix R2 and non-R2 2003 servers (or 64 and 32 bit) as primary and backup domain controllers on the same domain.

Thanks
0
 

Author Comment

by:dlwynne
ID: 33744821
I have the PDC moved to the 2003 server and the BDC is on the old NT box.  I am getting a lot of errors on machines in the domain, like these:



Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1053
Date:            9/23/2010
Time:            9:33:27 AM
User:            NT AUTHORITY\SYSTEM
Computer:      POWEREDGE
Description:
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      SRMSVC
Event Category:      None
Event ID:      12317
Date:            9/23/2010
Time:            8:55:21 AM
User:            N/A
Computer:      POWEREDGE
Description:
File Server Resource Manager failed to enumerate share paths or DFS paths.  Mappings from local file paths to share and DFS paths may be incomplete or temporarily unavailable.  FSRM will retry the operation at a later time.

Error-specific details:
   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.

   Error: (0x80070005) Access is denied.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 50 4d 43 41 43 48 45 43   PMCACHEC
0008: 38 33 33 00 00 00 00 00   833.....
0010: 50 4d 43 41 43 48 45 43   PMCACHEC
0018: 37 33 38 00 00 00 00 00   738.....


 
 
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5790
Date:  9/23/2010
Time:  9:18:56 AM
User:  N/A
Computer: POWEREDGE
Description:
No suitable Domain Controller is available for domain INFOLINK. An NT4 or older domain controller is available but it cannot be used for authentication purposes in the Windows 2000 or newer domain that this computer is a member of. The following error occurred:
There are currently no logon servers available to service the logon request.
 
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5790
Date:  9/23/2010
Time:  9:18:56 AM
User:  N/A
Computer: POWEREDGE
Description:
No suitable Domain Controller is available for domain INFOLINK. An NT4 or older domain controller is available but it cannot be used for authentication purposes in the Windows 2000 or newer domain that this computer is a member of. The following error occurred:
There are currently no logon servers available to service the logon request.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    
   

 
 
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  9/23/2010
Time:  8:55:21 AM
User:  N/A
Computer: POWEREDGE
Description:
The Security System detected an authentication error for the server cifs/EISWIN.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0  
0
 
LVL 2

Expert Comment

by:twichert
ID: 33746829
Yes, you can mix architectures.  AD doesn't care.
0
 
LVL 2

Expert Comment

by:twichert
ID: 33746839
What forest and domain functional levels does the 2003 domain controller believe AD is currently set to?
0
 

Author Comment

by:dlwynne
ID: 33790966
It shows the new name.domain.com I set up and under pre-Windows 2000 it shows the old domain name.

It does say Domain and Forrest functional levels are "Windows Server 2003  Interim"

Under users and computers it shows all the user and machine we had before and  under  domain controllers shows the new 2003 box and the old NT box.

Even though this machine and user (for example) are shown the even log has:

The session setup from the computer ADAMXP failed to authenticate. The name(s) of the account(s) referenced in the security database is ADAMXP$.  The following error occurred:
Access is denied.
0
 

Author Comment

by:dlwynne
ID: 33841771
OK, I think I have everything working now.

I had to remove the old NT box from the domain and upgrade the domain and forest to non-interim Windows Server 2003 and some other changes.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question