Migration from NT 4.0 domain to 2000 active directory

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We are getting ready to migrate to Active directory from NT 4.0 domain
controllers. I am planning on using the Active Directory Migration tool to
do this.

My question is: How do the clients get pointed to the new domain/ active
directory once it has been created? Do they each have to be done seperatly.
A few of the client machines will still be running NT 4.0

Thanks for any advice

Matt Fitz
 
ADMTv3 has been out for a while, so be sure to use that version.
(http://www.microsoft.com/downloads/...7B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)

Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
delegations, etc.)
* Migrate groups, user accounts and groups memberships (with sidhistory)
* Migrate clients from the source domain to the target domain, translate
security on the client, and translate profiles (at this moment users start
logging on with their new AD account on the migrated clients)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data from source security principals to
target security principals
* Cleanup sidhistory (recommended!) (Sidhistory should only be used
temporary for migration purposes!)


For more info on migrating to an AD domain also see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx
Both Quest and NetIQ have ebooks about migration. They also provide good
info
 
The short answer is - if you use ADMT to migrate the clients, the new
domain's NetBIOS name stays the same (even though the DNS name has changed).
To make it simple (and far more transparant) if your NT domain is named
"company", name the AD domain "company.local". The machines will assume the
".local" part from the DNS suffix of the domain they are a member of, so the
new domain can be properly referenced as either "company.local" or just
"company" as before. If you name your new domain "somethingelse.local", the
migrated clients will still log on to "company".

....kurt
 
If you have an NT domain called COMPANY and you want to go to AD there 2
possibilities:
(1) In-place upgrade of the NT domain to AD
(2) Install pristine AD forest/domain and migrate contents from NT domain to
AD domain

(1) In-place upgrade of the NT domain to AD
You achieve this by upgrading the NT4 PDC to a W2K3 DC. After that you have
the possibility to upgrade all other NT4 BDCs or just introduce new W2K3 DCs
and remove the old NT4 BDCs (which I prefer)
In this case the NetBIOS domain name DOES NOT change and additionally you
get a DNS name which could be COMPANY.LOCAL or COMPANY.COM. Because you only
upgraded the version of the domain, the NetBIOS name does not change and the
SID of the security principals (user, groups and computers does not change.
Therefore it is not needed to migrate stuff (users, computers and groups)
and a migration tool like ADMT is also not needed. There is nothing to
migrate to!

(2) Install pristine AD forest/domain and migrate contents from NT domain to
AD domain
You achieve this by installing a new AD forest/domain parallel to the
existing NT4 domain. The NT4 domain remains almost untouched, except for
some preparations to be able to migrate stuff (users, computers and groups).
The NetBIOS name of the AD domain MUST change. So if the NT4 domain is
called COMPANY, the NetBIOS name of the AD domain cannot be called COMPANY!
It must be something else like AD while the DNS is something like
AD.COMPANY.LOCAL.
In this case you will need a migration tool like ADMT because you will need
to migrate (or clone) users, groups and computers (SID will change because
of the cloning and you can migrate with sidhistory). Besides cloning the
computer account to the new domain you also need to change the domain
membership of the computer (only for servers and clients you want to
migrate)
 
Thanks Kurt:

I kind of figured that each client would need to be joined to the new
Active Directory domain separately. I did not know that we could keep it the
same as the NT 40 domain. If you keep the same name as the NT 4.0 domain for
the new Active directory, can the old NT 4.0 domain run in parallel until we
know everything is working properly?

Thanks

Matt Fitz
 
Back
Top