Solved

Replacing an NT 4.0 Domain with Active Directory

Posted on 2013-01-02
12
237 Views
Last Modified: 2013-01-14
Yep, an NT 4.0 domain.  That is not a misprint.

Management is finally willing to part ways with the cash necessary to replace our old NT 4.0 domain with Active Directory because of a new application they will be wanting to get in the near future.

I'm interested in knowing if anyone has ever replaced a NT 4.0 domain directly with an AD domain.  Should I just get my AD servers (I'm trying really hard not to type 'PDC' and 'BDC') configured and running on a separate LAN and when ready shut down the old NT units and bring up the Win2k8 servers with the same domain name on the existing lan?  

That sounds way to easy...

The domain has about 270 users and 300 workstations/laptops/servers total split among 11 different locations.  I'm willing to manually create the AD user accounts to mimic the existing NT accounts, but I'd really love to not have to travel to each location and manually add the workstation to the new AD domain or something similarly crazy like that.

Anyway, if anyone has any insight on the topic I'd love to hear it or see a link.

Thanks In Advance!
0
Comment
Question by:bubarooni
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 125 total points
ID: 38737400
That was a long time ago when I shut down my last NT4 domain :)
However, I would suggest to follow this Microsoft guide and migrate NT4 domain to Windows Server 2003
http://technet.microsoft.com/en-us/library/cc783091%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38737418
Another option is a migration to Windows 2000 Server Domain Controllers and then update it with the latest SP4. From now, you are able to add 2008/2008R2 DCs as NT4 domains are not supported by 2008 DCs.
http://technet.microsoft.com/en-us/library/bb742548.aspx

Using Windows 2000 Server/2003 Server, remember that Domain Functional Level must be set up to Windows 2000 mixed mode. In other case, NT4 domains are not supported

Krzysztof
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38737427
How about setting up a DC in your current office, along with all the remote location DC's, then ship them out to your onsite-tech's so they can complete the work?
0
 
LVL 18

Assisted Solution

by:sarang_tinguria
sarang_tinguria earned 250 total points
ID: 38737465
There is good documentation on MS website for this you should check this too

Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/en-us/download/details.aspx?id=2479
0
 

Author Comment

by:bubarooni
ID: 38737681
Thanks for all the quick respones!

I've seen several different articles on migrating from NT to 2k/2k3, just not directly to 2k8.

I was hoping someone had done that direct migration before.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38737781
Yes, because there is no option for that. Windows Server 2008/2008R2 does not support NT4 domains. So, that's why there is no direct way. If you want to use 2008/2008R2 DC you need to have at least Windows 2000 native Domain Functional Level. That mean, not NT4 domains and if you are using 2000 DCs then all of them must be running SP4

Krzysztof
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 38737903
One liner...Can't upgrade from NT4.0 to 2008 you need atleast 2000 SP4 servers ...
0
 

Author Comment

by:bubarooni
ID: 38738051
OK, I was wondering if that was kinda where I was heading with this.

That gives me two options then:

1. Migrate from NT to either Win2k/2k3 and then upgrade to Win2k8
2. Remove NT DC's and replace with AD DC's

Is that about right?

I've seen the many articles on option 1.  What would option 2 entail?  

About the only thing the NT 4.0 servers are used for at this point are login authentication and file security and that's it.  If I manually recreated the user accounts on the Win2k8 server is that enough or am I going to have create machine accounts as well.  Are there going to be all kinds of SID issues when I try and log on machines that first time after I swap the servers out?
0
 
LVL 18

Assisted Solution

by:sarang_tinguria
sarang_tinguria earned 250 total points
ID: 38738108
Migration is best bid for you

If you plan to create manual users then you will have to rejoin all the workstations from old Domain to new domain

All SID's will be changed so you will have to use USMT to migrate profile of each & every user on his desktop/laptop (huge pain)
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 38738842
I agree - you want to use a migration and migrate to 2000/2003 first then to 2008/2012.

For 300 systems/users, you're talking about a massive nightmare of user profile migrations and permissions adjustments and rejoining machines to a new domain.  It took me a week to do 15 in one site when I rebuilt a domain...

Of course, that can depend on how savvy your users are, but no matter how savvy, it's going to take a LONG time if you don't do a migration.
0
 

Author Comment

by:bubarooni
ID: 38755157
OK, I'm going to accept the migration thing because I don't wanna manually add user AND machine accounts.

In addition to the MS doc listed above, is the following link on migration pretty spot on?

http://www.winfrastructure.net/article.aspx?BlogEntry=Migration-from-NT4-to-Windows-2003-Active-Directory-domain-part-1
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 38755939
So I can sometimes start preaching about terminology... and I think the terminology has evolved over the years.  In the NT4 to AD days, a migration meant you were going to use ADMT and migrate to a new domain while preserving your user and computer accounts.

These days, when you migrate (especially in the SBS world) you're moving from one server to another while preserving the domain.

To be clear, you have three options:
1. Start clean with a new AD domain and recreate all users and join all computers to the domain.
2. MIGRATE the users and computers using ADMT to a new AD domain.  Preserves SOME data but not all (users would have to reset their passwords.  In my experience, this is NOT as simple as it sounds and there have often been flaky problems doing this.
3. UPGRADE the domain by migrating to new servers.  The BASIC procedure is this:
a) install an NT4 BDC on your network (preferrably in a VM)
b) promote that BDC to the PDC role.
c) upgrade that VM to 2000/2003 (if 2003 supported - I honestly don't recall).
d) remove all old NT4 BDCs
e) migrate that 2000/2003 DC to a 2008 DC on another VM.

Once you switch away from Mixed Mode domain in AD, the NT4 BDCs will no longer replicate with the AD and their information will become stale.

DO THIS IN A TEST ENVIRONMENT FIRST (VMs!) so you have some experience and know what you'll be doing.  And better still, hire someone to work with you who has experience.  Doing this alone with no experience for a user base of 300 is INCREDIBLY UNWISE in my opinion!
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now