Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


software installed on member server while logged as domain admin

Posted on 2011-03-23
Medium Priority
Last Modified: 2012-06-21
I have a member server that is part of a windows NT 4.0 domain
This member server is running windows 2003 server.
We're scrapping the Windows NT domain controller since its like 15 years old hardware wise.

I'm using another windows server 2003 box to be configured as domain controller and configuring new windows domain from scratch.
Theres only 10-20 user accounts on the old NT 4.0 PDC so rather then worrying about doing an upgrade or migration I've decided to start from scratch.

My concern is we have a member server box that I'll need to remove from the windows NT 4.0 domain and I'll need to add this as a member server to the new windows server domain i configure.

The proprietary software that this member server box is running is vital to keep intact.
The previous net administrators didn't document anything so their providing us with nothing.
I have a feeling the proprietary software installed to this member server may have been installed under the domain admin logon, So I'm worried when I remove this member server from the Windows NT 4.0 domain I may find the software isn't installed or properly configured on local administrator account.

I'm sure this type of scenario is common enough can anyone please explain what will happen in this scenario and what I can do .
Keep in mind the Windows NT 4.0 server's hardware is really old and not suitable to just due an in place upgrade on.
Question by:techguy1979
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 35202638
There are a couple things you can do.

1.  Log into the Member server as the local admin and test the software.
2.  Don't do an in place upgrade, but migrate to 2k3 Domain.

For number two - prep the forest and domain for 2k3, then do a DCPromo on a 2k3 server (the New DC)
Move all the Server roles to the new server then demote the old NT.  raise the domain level to 2k3

That way the domain admin is still the same user and the member server is untouched.

After you get to 2k3, then you can do the same to get to 2k8 if you want.

Author Comment

ID: 35202818
what all goes into the preparation you speak of "prep the forest and domain for 2k3".
Migrating from windows NT 4.0 wouldn't I have to migrate to windows 2k before windows 2k3?
How do I move the server roles from NT 4.0 dc to windows 2k3 new domain controller?
LVL 31

Accepted Solution

Justin Owens earned 2000 total points
ID: 35202925
Your scenario:

You have two concurrently running domains.  You have an app server on Domain A (your NT4 Domain).  You want to disjoin it (make it stand alone) and then join it to Domain B (your AD 2003 Domain).  Your fear is that the proprietary application on your app server uses a domain member account from Domain A to run, and you have no documentation to use to know for sure.

Your need:

You need to come up with some kind of test to insure it will work when migrated to the new domain.


In an ideal world, you can create a backup of your app server and restore that backup to another, unused server.  Join that "test" server to the new domain and see if it works.

In  a slightly less than ideal world, do a complete backup of your app server.  Rather than disjoining it from your domain, remove the network cable.  THEN disjoin from the domain using a local admin account (this way your computer account is not removed from NT4). This assumes the app server is not your PDC or a BDC in your NT4 domain.  Join the new domain and test your app.  Restore from backup if it fails.

In an even less ideal world, do a complete backup of your app server.  Disjoin the old domain.  Join the new domain.  See if the app works.  Reverse the process to get it back to the NT4 domain.  If the app still fails, restore from backup.


Don't create a new domain.  Join the NT4 domain with your Server 2003.  Make the server 2003 a DC on the NT4 domain through migration.  This involves two concurrent domains, but instead of a cold cut, you establish a trust and migrate your users and computers across the trust to the new domain.  The step by step can be found here:


This will bypass having to use 2000 to do a direct upgrade of NT4 to AD.

LVL 31

Expert Comment

by:Justin Owens
ID: 35202958
By the way, you can also just install NT4 on your new server, make it a BDC, promote it to a PDC, and then do an inline upgrade to Server 2003.  This might be easier than going the trust route:



Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question