Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


software installed on member server while logged as domain admin

Posted on 2011-03-23
Medium Priority
Last Modified: 2012-06-21
I have a member server that is part of a windows NT 4.0 domain
This member server is running windows 2003 server.
We're scrapping the Windows NT domain controller since its like 15 years old hardware wise.

I'm using another windows server 2003 box to be configured as domain controller and configuring new windows domain from scratch.
Theres only 10-20 user accounts on the old NT 4.0 PDC so rather then worrying about doing an upgrade or migration I've decided to start from scratch.

My concern is we have a member server box that I'll need to remove from the windows NT 4.0 domain and I'll need to add this as a member server to the new windows server domain i configure.

The proprietary software that this member server box is running is vital to keep intact.
The previous net administrators didn't document anything so their providing us with nothing.
I have a feeling the proprietary software installed to this member server may have been installed under the domain admin logon, So I'm worried when I remove this member server from the Windows NT 4.0 domain I may find the software isn't installed or properly configured on local administrator account.

I'm sure this type of scenario is common enough can anyone please explain what will happen in this scenario and what I can do .
Keep in mind the Windows NT 4.0 server's hardware is really old and not suitable to just due an in place upgrade on.
Question by:techguy1979
  • 2

Expert Comment

ID: 35202638
There are a couple things you can do.

1.  Log into the Member server as the local admin and test the software.
2.  Don't do an in place upgrade, but migrate to 2k3 Domain.

For number two - prep the forest and domain for 2k3, then do a DCPromo on a 2k3 server (the New DC)
Move all the Server roles to the new server then demote the old NT.  raise the domain level to 2k3

That way the domain admin is still the same user and the member server is untouched.

After you get to 2k3, then you can do the same to get to 2k8 if you want.

Author Comment

ID: 35202818
what all goes into the preparation you speak of "prep the forest and domain for 2k3".
Migrating from windows NT 4.0 wouldn't I have to migrate to windows 2k before windows 2k3?
How do I move the server roles from NT 4.0 dc to windows 2k3 new domain controller?
LVL 31

Accepted Solution

Justin Owens earned 2000 total points
ID: 35202925
Your scenario:

You have two concurrently running domains.  You have an app server on Domain A (your NT4 Domain).  You want to disjoin it (make it stand alone) and then join it to Domain B (your AD 2003 Domain).  Your fear is that the proprietary application on your app server uses a domain member account from Domain A to run, and you have no documentation to use to know for sure.

Your need:

You need to come up with some kind of test to insure it will work when migrated to the new domain.


In an ideal world, you can create a backup of your app server and restore that backup to another, unused server.  Join that "test" server to the new domain and see if it works.

In  a slightly less than ideal world, do a complete backup of your app server.  Rather than disjoining it from your domain, remove the network cable.  THEN disjoin from the domain using a local admin account (this way your computer account is not removed from NT4). This assumes the app server is not your PDC or a BDC in your NT4 domain.  Join the new domain and test your app.  Restore from backup if it fails.

In an even less ideal world, do a complete backup of your app server.  Disjoin the old domain.  Join the new domain.  See if the app works.  Reverse the process to get it back to the NT4 domain.  If the app still fails, restore from backup.


Don't create a new domain.  Join the NT4 domain with your Server 2003.  Make the server 2003 a DC on the NT4 domain through migration.  This involves two concurrent domains, but instead of a cold cut, you establish a trust and migrate your users and computers across the trust to the new domain.  The step by step can be found here:


This will bypass having to use 2000 to do a direct upgrade of NT4 to AD.

LVL 31

Expert Comment

by:Justin Owens
ID: 35202958
By the way, you can also just install NT4 on your new server, make it a BDC, promote it to a PDC, and then do an inline upgrade to Server 2003.  This might be easier than going the trust route:



Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question