Replacing an NT 4.0 Domain with Active Directory

Yep, an NT 4.0 domain.  That is not a misprint.

Management is finally willing to part ways with the cash necessary to replace our old NT 4.0 domain with Active Directory because of a new application they will be wanting to get in the near future.

I'm interested in knowing if anyone has ever replaced a NT 4.0 domain directly with an AD domain.  Should I just get my AD servers (I'm trying really hard not to type 'PDC' and 'BDC') configured and running on a separate LAN and when ready shut down the old NT units and bring up the Win2k8 servers with the same domain name on the existing lan?  

That sounds way to easy...

The domain has about 270 users and 300 workstations/laptops/servers total split among 11 different locations.  I'm willing to manually create the AD user accounts to mimic the existing NT accounts, but I'd really love to not have to travel to each location and manually add the workstation to the new AD domain or something similarly crazy like that.

Anyway, if anyone has any insight on the topic I'd love to hear it or see a link.

Thanks In Advance!
Who is Participating?
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
That was a long time ago when I shut down my last NT4 domain :)
However, I would suggest to follow this Microsoft guide and migrate NT4 domain to Windows Server 2003

Krzysztof PytkoSenior Active Directory EngineerCommented:
Another option is a migration to Windows 2000 Server Domain Controllers and then update it with the latest SP4. From now, you are able to add 2008/2008R2 DCs as NT4 domains are not supported by 2008 DCs.

Using Windows 2000 Server/2003 Server, remember that Domain Functional Level must be set up to Windows 2000 mixed mode. In other case, NT4 domains are not supported

Tony GiangrecoCommented:
How about setting up a DC in your current office, along with all the remote location DC's, then ship them out to your onsite-tech's so they can complete the work?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Sarang TinguriaConnect With a Mentor Sr EngineerCommented:
There is good documentation on MS website for this you should check this too

Migrating from Windows NT Server 4.0 to Windows Server 2003
bubarooniAuthor Commented:
Thanks for all the quick respones!

I've seen several different articles on migrating from NT to 2k/2k3, just not directly to 2k8.

I was hoping someone had done that direct migration before.
Krzysztof PytkoSenior Active Directory EngineerCommented:
Yes, because there is no option for that. Windows Server 2008/2008R2 does not support NT4 domains. So, that's why there is no direct way. If you want to use 2008/2008R2 DC you need to have at least Windows 2000 native Domain Functional Level. That mean, not NT4 domains and if you are using 2000 DCs then all of them must be running SP4

Sarang TinguriaSr EngineerCommented:
One liner...Can't upgrade from NT4.0 to 2008 you need atleast 2000 SP4 servers ...
bubarooniAuthor Commented:
OK, I was wondering if that was kinda where I was heading with this.

That gives me two options then:

1. Migrate from NT to either Win2k/2k3 and then upgrade to Win2k8
2. Remove NT DC's and replace with AD DC's

Is that about right?

I've seen the many articles on option 1.  What would option 2 entail?  

About the only thing the NT 4.0 servers are used for at this point are login authentication and file security and that's it.  If I manually recreated the user accounts on the Win2k8 server is that enough or am I going to have create machine accounts as well.  Are there going to be all kinds of SID issues when I try and log on machines that first time after I swap the servers out?
Sarang TinguriaConnect With a Mentor Sr EngineerCommented:
Migration is best bid for you

If you plan to create manual users then you will have to rejoin all the workstations from old Domain to new domain

All SID's will be changed so you will have to use USMT to migrate profile of each & every user on his desktop/laptop (huge pain)
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
I agree - you want to use a migration and migrate to 2000/2003 first then to 2008/2012.

For 300 systems/users, you're talking about a massive nightmare of user profile migrations and permissions adjustments and rejoining machines to a new domain.  It took me a week to do 15 in one site when I rebuilt a domain...

Of course, that can depend on how savvy your users are, but no matter how savvy, it's going to take a LONG time if you don't do a migration.
bubarooniAuthor Commented:
OK, I'm going to accept the migration thing because I don't wanna manually add user AND machine accounts.

In addition to the MS doc listed above, is the following link on migration pretty spot on?
Lee W, MVPTechnology and Business Process AdvisorCommented:
So I can sometimes start preaching about terminology... and I think the terminology has evolved over the years.  In the NT4 to AD days, a migration meant you were going to use ADMT and migrate to a new domain while preserving your user and computer accounts.

These days, when you migrate (especially in the SBS world) you're moving from one server to another while preserving the domain.

To be clear, you have three options:
1. Start clean with a new AD domain and recreate all users and join all computers to the domain.
2. MIGRATE the users and computers using ADMT to a new AD domain.  Preserves SOME data but not all (users would have to reset their passwords.  In my experience, this is NOT as simple as it sounds and there have often been flaky problems doing this.
3. UPGRADE the domain by migrating to new servers.  The BASIC procedure is this:
a) install an NT4 BDC on your network (preferrably in a VM)
b) promote that BDC to the PDC role.
c) upgrade that VM to 2000/2003 (if 2003 supported - I honestly don't recall).
d) remove all old NT4 BDCs
e) migrate that 2000/2003 DC to a 2008 DC on another VM.

Once you switch away from Mixed Mode domain in AD, the NT4 BDCs will no longer replicate with the AD and their information will become stale.

DO THIS IN A TEST ENVIRONMENT FIRST (VMs!) so you have some experience and know what you'll be doing.  And better still, hire someone to work with you who has experience.  Doing this alone with no experience for a user base of 300 is INCREDIBLY UNWISE in my opinion!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.