Question on planning

[Michel Chiasson]

Finaly migrating from a 3 server NT domain(1 PDC, 2 BDC), to a Win2k3 active
directory environement. The AD on our new win2k3 is up and running, and
ready to welcome the new users! : )

My bigest concern is the File server..

Would it be possible to like emulate the NT domain on our new AD domain to
migrate users and still access their old file server in the NT domain? I
don't want to migrate all at once, and would like to do it gradually, if
that's possible.

If not, is the other way arround possible? Migrate the File server to the
new AD, and still be accessible to the NT users??

Thanks for taking time reading this..

 

[Herb Martin]

Finaly migrating from a 3 server NT domain(1 PDC, 2 BDC), to a Win2k3
active directory environement. The AD on our new win2k3 is up and
running, and ready to welcome the new users! : )

Most people will be FAR BETTER off (fewer problems
and issues) if they JUST UPGRADE to Win2003.

My bigest concern is the File server..

One of the major reasons for UPGRADING rather than
trying to re-create the uses on a 'new domain.'

Would it be possible to like emulate the NT domain on our new AD domain to
migrate users and still access their old file server in the NT domain? I
don't want to migrate all at once, and would like to do it gradually, if
that's possible.

Everything that seems to concern you would be solved
by upgrading.

Even if you hardware doesn't (directly) support such
upgrades there are (easy) tricks to still upgrade the
NT domain.

If not, is the other way arround possible? Migrate the File server to the
new AD, and still be accessible to the NT users??

You are likely going to have security and permissions
issues with any form of migration -- all this can be
avoided by upgrading.

Also, with User Profiles which just work when you
upgrade.

 

[Michel Chiasson]

Most people will be FAR BETTER off (fewer problems
and issues) if they JUST UPGRADE to Win2003.


One of the major reasons for UPGRADING rather than
trying to re-create the uses on a 'new domain.'


Everything that seems to concern you would be solved
by upgrading.

Even if you hardware doesn't (directly) support such
upgrades there are (easy) tricks to still upgrade the
NT domain.


You are likely going to have security and permissions
issues with any form of migration -- all this can be
avoided by upgrading.

Also, with User Profiles which just work when you
upgrade.

Yah, maybe you're right.. It's just that the NT domain is soooo much
messyyy.. And the box, way to small to handle Win2k3.. What's the trick you
were talking about?

 

[Herb Martin]

Yah, maybe you're right.. It's just that the NT domain is soooo much

messyyy.. And the box, way to small to handle Win2k3.. What's the trick
you were talking about?

I am going to say it straight out (with no intention to
criticize, only to state the case):

Anyone who has a "messy" NT domain will soon have
a messy (probably worse) AD domain.

Clean it up -- now or after you upgrade, but don't use
this phony reason to avoid upgrading. This idea has
been propagated largely by those who aren't very good
at maintaining there domains.

Trust those who are GOOD at Domain Administration
and you will find that the normal recommendation is
"upgrade".

These systems were DESIGNED to be upgradable and
you will definitely avoid far more problems in almost
all cases by doing so rather than "starting over".

Chances are, even the "import" itself would propagate
most of the mess junk so there isn't even a reasonably
chance you wouldn't be just as "messy".

 

[Jmnts]

Hi

Check these nice tips and decide:

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
http://technet2.microsoft.com/WindowsServer/en/Library/b170bdc5-ba55-4184-8a8f-acb7705ff04a1033.mspx
Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0
Environment
http://technet2.microsoft.com/WindowsServer/en/Library/faf881bd-5189-40bb-b2bb-08bd5b6759c91033.mspx
Domain and forest functionality
http://technet2.microsoft.com/WindowsServer/en/Library/b3674c9b-fab9-4c1e-a8f6-7871264712711033.mspx

--
Best Regards
Systems Administrator
MCSA + Exchange

Yah, maybe you're right.. It's just that the NT domain is soooo much
messyyy.. And the box, way to small to handle Win2k3.. What's the trick
you were talking about?

I am going to say it straight out (with no intention to
criticize, only to state the case):

Anyone who has a "messy" NT domain will soon have
a messy (probably worse) AD domain.

Clean it up -- now or after you upgrade, but don't use
this phony reason to avoid upgrading. This idea has
been propagated largely by those who aren't very good
at maintaining there domains.

Trust those who are GOOD at Domain Administration
and you will find that the normal recommendation is
"upgrade".

These systems were DESIGNED to be upgradable and
you will definitely avoid far more problems in almost
all cases by doing so rather than "starting over".

Chances are, even the "import" itself would propagate
most of the mess junk so there isn't even a reasonably
chance you wouldn't be just as "messy".


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Yah, maybe you're right.. It's just that the NT domain is soooo much
messyyy.. And the box, way to small to handle Win2k3.. What's the trick
you were talking about?

 

[Ai Learning]

Again, what's the trick you were talking about?

I am going to say it straight out (with no intention to
criticize, only to state the case):

Anyone who has a "messy" NT domain will soon have
a messy (probably worse) AD domain.

That " anyone" doesn't work here anymore..

Clean it up -- now or after you upgrade, but don't use
this phony reason to avoid upgrading. This idea has
been propagated largely by those who aren't very good
at maintaining there domains.

Again, I need that trick of yours!

 

[Ai Learning]

Check these nice tips and decide:

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
http://technet2.microsoft.com/WindowsServer/en/Library/b170bdc5-ba55-4184-8a8f-acb7705ff04a1033.mspx
Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0
Environment
http://technet2.microsoft.com/WindowsServer/en/Library/faf881bd-5189-40bb-b2bb-08bd5b6759c91033.mspx
Domain and forest functionality
http://technet2.microsoft.com/WindowsServer/en/Library/b3674c9b-fab9-4c1e-a8f6-7871264712711033.mspx

Thanks for the tips man!

 

[Herb Martin]

Again, what's the trick you were talking about?



Again, I need that trick of yours!

There are several actually. Install NT4 as a BDC (yes, NT4-BDC)
on a brand new machine and promote it to PDC -- now
upgrade it to Win2003 as the first DC.

Another method, that only had to WORK TEMPORARILY,
is to move the harddrive from NT PDC to a new machine.
You might have to also rebuild the partition larger and do
a backup/restore for this to work.

Once you are upgraded to AD, you add new DCs and retire
the "hacked" first machine if desired.

The key is that the PDC must be the FIRST DC upgraded,
but that can be either the current PDC, a new BDC promoted
to PDC, or the drive moved or backup/restored to new
hardware.

Practically always one of these methods will work.

 

[Tim.Olsen]

I'm going to respectfully disagree with Herb.

Upgrade isn't always the way to go. Straighting out years of neglect
in an NT4 domain just so you can upgrade is often more work than the
migration.

2003 wouldn't run on some of the older DC's I've seen still in
production, adding new hardware as an NT4 DC for the sole purpose of
running the upgrade doesn't always meet time budgets, and not all
organizations can assume risk of a big-bang weekend. They must slide
into the migration to mitigate risk. And of course corporate mergers
almost always require a migration, as the most corp's are not very
tolerant of domain sprawl.

Does a migration have more problems than an upgrade? I'll argue the
number of problems in either case is more dependant on the planning
than the method. So More problems? no. Different kinds? Sure.

Anyway I didn't see a direct answer to your question: Can you take this
migration in small steps? Can migrated users access resources
(fileshares) in the old domain? can users not yet migrated, access
resources that have been migrated?

Yes, Yes and Yes.
IF.
IF you have a trust between them and IF you use ADMT or some another
3rd party migration tool. These tools allow you to migrate with SID
history and translate security on the computers and servers.

Now consider well the order of the objects you need to migrate; I would
recommend this order, I've used it in 4 mergers and find it works
nicely, but YMMV
1) Migrate groups w/o members.
2) Migrate Service Accounts (even if you don't use them right off)
3) Users AND their workstations. (in whatever incremental you want
--10, 20, or 100 at a time) This step requires a tickle of the
workstation. Not only does the domain membership change, but profiles
and ACL (NTFS, Registry etc, User Rights Assignments) are translated by
the tool. ADMT and the the good migration tools do this for you.

4) Fileservers. (again in any increment you want) This step also
requires profiles and security translation, and again the tools will do
it for you. You should also switch over your service accounts to the
migrated versions at this point.

Then finally when all users, computers and servers have been migrated
you can break the trust, and remove sid history. (NOTE: Depending on
your tool selection you may have to re-acl the servers to use the
security principles from the new domain and remove the old domain
references BEFORE you break the trust or remove sid history --If your
tool doesn't provide an option for this you can build your own easy
enough with subinacl.)

In this order, users in the W2k3 domain can access NT4 domain resources
via SID history. Non-migrated users continue to access the NT
fileservers as they always have; as the server's security hasn't
changed because servers aren't migrated until the users are all done.

That's broadbrush. But I hope it's enough to get you started on
planning your migration.
One last thing to consider about migrations. Don't Dally. Sure you
can do it small steps. Just take those steps at a good pace. If open
yourself up to more headaches the longer the migration continues.