Solved

Replacing an NT 4.0 Domain with Active Directory

Posted on 2013-01-02
12
241 Views
Last Modified: 2013-01-14
Yep, an NT 4.0 domain.  That is not a misprint.

Management is finally willing to part ways with the cash necessary to replace our old NT 4.0 domain with Active Directory because of a new application they will be wanting to get in the near future.

I'm interested in knowing if anyone has ever replaced a NT 4.0 domain directly with an AD domain.  Should I just get my AD servers (I'm trying really hard not to type 'PDC' and 'BDC') configured and running on a separate LAN and when ready shut down the old NT units and bring up the Win2k8 servers with the same domain name on the existing lan?  

That sounds way to easy...

The domain has about 270 users and 300 workstations/laptops/servers total split among 11 different locations.  I'm willing to manually create the AD user accounts to mimic the existing NT accounts, but I'd really love to not have to travel to each location and manually add the workstation to the new AD domain or something similarly crazy like that.

Anyway, if anyone has any insight on the topic I'd love to hear it or see a link.

Thanks In Advance!
0
Comment
Question by:bubarooni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 125 total points
ID: 38737400
That was a long time ago when I shut down my last NT4 domain :)
However, I would suggest to follow this Microsoft guide and migrate NT4 domain to Windows Server 2003
http://technet.microsoft.com/en-us/library/cc783091%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38737418
Another option is a migration to Windows 2000 Server Domain Controllers and then update it with the latest SP4. From now, you are able to add 2008/2008R2 DCs as NT4 domains are not supported by 2008 DCs.
http://technet.microsoft.com/en-us/library/bb742548.aspx

Using Windows 2000 Server/2003 Server, remember that Domain Functional Level must be set up to Windows 2000 mixed mode. In other case, NT4 domains are not supported

Krzysztof
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38737427
How about setting up a DC in your current office, along with all the remote location DC's, then ship them out to your onsite-tech's so they can complete the work?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 250 total points
ID: 38737465
There is good documentation on MS website for this you should check this too

Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/en-us/download/details.aspx?id=2479
0
 

Author Comment

by:bubarooni
ID: 38737681
Thanks for all the quick respones!

I've seen several different articles on migrating from NT to 2k/2k3, just not directly to 2k8.

I was hoping someone had done that direct migration before.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38737781
Yes, because there is no option for that. Windows Server 2008/2008R2 does not support NT4 domains. So, that's why there is no direct way. If you want to use 2008/2008R2 DC you need to have at least Windows 2000 native Domain Functional Level. That mean, not NT4 domains and if you are using 2000 DCs then all of them must be running SP4

Krzysztof
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38737903
One liner...Can't upgrade from NT4.0 to 2008 you need atleast 2000 SP4 servers ...
0
 

Author Comment

by:bubarooni
ID: 38738051
OK, I was wondering if that was kinda where I was heading with this.

That gives me two options then:

1. Migrate from NT to either Win2k/2k3 and then upgrade to Win2k8
2. Remove NT DC's and replace with AD DC's

Is that about right?

I've seen the many articles on option 1.  What would option 2 entail?  

About the only thing the NT 4.0 servers are used for at this point are login authentication and file security and that's it.  If I manually recreated the user accounts on the Win2k8 server is that enough or am I going to have create machine accounts as well.  Are there going to be all kinds of SID issues when I try and log on machines that first time after I swap the servers out?
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 250 total points
ID: 38738108
Migration is best bid for you

If you plan to create manual users then you will have to rejoin all the workstations from old Domain to new domain

All SID's will be changed so you will have to use USMT to migrate profile of each & every user on his desktop/laptop (huge pain)
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 38738842
I agree - you want to use a migration and migrate to 2000/2003 first then to 2008/2012.

For 300 systems/users, you're talking about a massive nightmare of user profile migrations and permissions adjustments and rejoining machines to a new domain.  It took me a week to do 15 in one site when I rebuilt a domain...

Of course, that can depend on how savvy your users are, but no matter how savvy, it's going to take a LONG time if you don't do a migration.
0
 

Author Comment

by:bubarooni
ID: 38755157
OK, I'm going to accept the migration thing because I don't wanna manually add user AND machine accounts.

In addition to the MS doc listed above, is the following link on migration pretty spot on?

http://www.winfrastructure.net/article.aspx?BlogEntry=Migration-from-NT4-to-Windows-2003-Active-Directory-domain-part-1
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 38755939
So I can sometimes start preaching about terminology... and I think the terminology has evolved over the years.  In the NT4 to AD days, a migration meant you were going to use ADMT and migrate to a new domain while preserving your user and computer accounts.

These days, when you migrate (especially in the SBS world) you're moving from one server to another while preserving the domain.

To be clear, you have three options:
1. Start clean with a new AD domain and recreate all users and join all computers to the domain.
2. MIGRATE the users and computers using ADMT to a new AD domain.  Preserves SOME data but not all (users would have to reset their passwords.  In my experience, this is NOT as simple as it sounds and there have often been flaky problems doing this.
3. UPGRADE the domain by migrating to new servers.  The BASIC procedure is this:
a) install an NT4 BDC on your network (preferrably in a VM)
b) promote that BDC to the PDC role.
c) upgrade that VM to 2000/2003 (if 2003 supported - I honestly don't recall).
d) remove all old NT4 BDCs
e) migrate that 2000/2003 DC to a 2008 DC on another VM.

Once you switch away from Mixed Mode domain in AD, the NT4 BDCs will no longer replicate with the AD and their information will become stale.

DO THIS IN A TEST ENVIRONMENT FIRST (VMs!) so you have some experience and know what you'll be doing.  And better still, hire someone to work with you who has experience.  Doing this alone with no experience for a user base of 300 is INCREDIBLY UNWISE in my opinion!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question