Mixed mode - native mode - nt 40 + 2000

  • Thread starter Thread starter robert
  • Start date Start date
R

robert

Hello All -


I am studying my 70-290 mcp book and have a scenario:

If you have an NT 4.0 PDC/BDC and you install a new active directory based
serevr (i.e. buy a new server from dell with 2000 or 2003 on it)
anf you want to migrate all of your accounts (say you 500 users in 10
groups).

I understand that you would be in 2000 mixed mode (as default) but how do
you migrate all of the users and keep the
approprite SID history? if your in mixed mode?


This is has got me frazzled; becuase you would not want to re-create all of
your acl/ace entries for the new DC, instead
you would want to have that "SID History" move with the existing accounts
from the NT 4.0 server...



Thank You,


Robert
 
you are mixing things...

when having NT4 and you want to go to W2K/W2K3 you have 2 options:
(1) upgrade... in short: the PDC is upgraded, other W2K/W2K3 DCs are
introduced and the NT4 DCs are removed. As soon as all NT4 DCs are gone, you
can increase the mode (w2K) or the functional level (w2k3). All information
from the NT4 domain is preserved during the upgrade and available afterwards
in AD. The domain ID (or SID) does not change. Because of that resource
access is preserved.
as an example see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/01/Example-NT4-to-AD-upgrade.aspx

(2) migrate... in short: parallel to the NT4 you build a new W2K/W2K3 AD.
That new AD will NOT have the info of the NT4 domain because it was build
from scratch and because of that it will also have a different domain ID
(SID). As there are no NT4 DCs in that domain, you can increase the domain
mode or functional level as soon as the first W2K/W2K3 DC is live. So to
"move" all the info (users, groups, computers) from NT4 to AD you need to
migrate it with a migration tool like ADMTv3 from MS. That way the info
(users, groups, computers) will also be available in AD. However to preserve
access to resources (data,etc) you need to migrate with sIDHistory. After
that you need to migrate the data to the new domain and as the data contains
ACLs with ACEs from the NT4 domain you need to translate security from the
NT4 domain to the AD domain (also done by the migration tool). As soon as
that is done you can cleanup sidhistory
as an example see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
robert said:
Hello All -


I am studying my 70-290 mcp book and have a scenario:

If you have an NT 4.0 PDC/BDC and you install a new active directory based
serevr (i.e. buy a new server from dell with 2000 or 2003 on it)
anf you want to migrate all of your accounts (say you 500 users in 10
groups).

I understand that you would be in 2000 mixed mode (as default) but how do
you migrate all of the users and keep the
approprite SID history? if your in mixed mode?
Click to expand...

You don't.
This is has got me frazzled; becuase you would not want to re-create all
of your acl/ace entries for the new DC, instead
you would want to have that "SID History" move with the existing accounts
from the NT 4.0 server...
Click to expand...

So generally you would want to RE-install the "new" machine as an NT4
BDC, promote to PDC, and then upgrade the "now PDC" to Win2003,
thus upgrading the domain and no SIDs change.

Otherwise you advanced the level of the domain to one of Win2000 Natve
or Win2003 Server native modes.
 
Ahhh I see... So ADMT will migrate sID History but after readuing through
your
page - it seems like youre going to have to re-acl/ace everything anyways.

I think i just over though that whole situation, sometimes when i havent
been exposed to a system with 1500 user
accounts and 250 groups across 5 site links (using every ad model) it can
become kinda
hard to really understand (and therefore think with) some of the windows
server stuff...


Thanks for oyur help...



Robert
"Jorge de Almeida Pinto [MVP - DS]"
 
robert said:
Ahhh I see... So ADMT will migrate sID History but after readuing through
your
page - it seems like youre going to have to re-acl/ace everything anyways.
Click to expand...

If you upgrade the PDC then there is no issue with migration or reason for
ADMT + SidHistory list so mode doesn't matter (for this.)

If you use the new machine to create a new domain (with a DIFFERENT
NETBIOS name while we are discussing it) then you don't have any NT4
BDCs in that new domain and so mode is a trivial issue -- just advance the
mode since "all" (the only) DC is Win2003.
I think i just over though that whole situation, sometimes when i havent
been exposed to a system with 1500 user
accounts and 250 groups across 5 site links (using every ad model) it can
become kinda
hard to really understand (and therefore think with) some of the windows
server stuff...
Click to expand...

It shouldn't because that is a false trap -- thinking you need large system
experience to figure out what is essentially a problem for small companies
as much or more than large ones (small companies are much more likely
to have a current PDC that cannot be upgraded due to obsolete hardware.)

This is a very important point if you wish to do better on exams, AND in
real life, you must presume that you can figure things out.

Sometimes there will be a difference (replication for 1500 users, not very
large really, is different than for 100, and for 150,000 is quite different)
but most things are simple if you REALLY understand the basics and
work it through logically.

This doesn't mean that in real life you don't discuss your designs with
people having more experience and more varied experience but it
does mean you should be close to a solution almost all the time and
understand whatever cautions they raise.
 
Back
Top