Windows Server

Mtay23 · Guest

I have performed two test of rolling back to an NT domain and encountered the
following problem.

In Nt the machines had been on the "Testing" doamin. for Active Directory I
made the domain "Testing.local".

I placed a BDC offline and upgraded my PDC to 2003 with active Directory. I
then did a fresh install of a server with 2003 and joined it to the domain
and synced with the 2003 DC. I transfered all of the FSMO roles to the fresh
server and reload the upgraded server from scratch, then Synced the two of
them.

I then decided to test the fallback

After the migration my client machines all showed thier doamin as being
"testing.local" .....not "testing" anymore. When I took down the 2003 servers
and placed the BDC that I took offline back on the network and promoted it
back to PDC, none of my machines could log onto the domain. They would error
out saying that "testing.local" could not be reached. I had to physically
touch each of them and change thier domain back to "testing"
Luckily there were only 6 machines in my lab but my network has 1500.

How can I fallback to my NT domain without having to touch 1500 machines and
rejione the domain.?

Also I have read that this fallback prodcedure can take 4-6 hours to
perform. During this 4-6 hours is my network going to be unavailable? or can
it be done with no diruption of service to my users?

I apprieciate any knowledge you pass on

Mark Taylor

I

cladel · Guest

I had the same question on the other end, if you put the "local" in the
domain name will you then have to tell all of the xp, and w98 clients to put
"local" in the login domain name.

Frances [MSFT] · Guest

Hello Mark,

I am not quite clear about your test. What are the clients' OS? I assumed
you have made an upgrade process to make Windows NT domain "Testing" to
Windows 2003 domain. Generally speaking, the domain NetBIOS name remains
the same. "Testing.local" looks like the DNS name of the win2k3 domain. It
seems you have given "Testing.local" as a DNS name when you installed DNS
on win2k3 server.

With regards to the reason why none of your machines could log onto the
domain when you took down the 2003 servers, you may refer to article 284937
below. When you upgrade to Windows 2003 domain, all the Windows 2000/XP
clients may only authenticate with the new Windows Server 2003 DC with
Kerberos as the authentication protocol. When you took down the 2003
servers, these work stations would not reuse NTLM protocol to authenticate
with PDC again. So they cannot log onto the domain. Down-level clients do
not change the authentication protocols, so they would contact the PDC and
log onto the domain.

284937 Windows 2000-based clients connect only to the domain controller that
http://support.microsoft.com/?id=284937

298713 How to prevent overloading on the first domain controller during
domain
http://support.microsoft.com/?id=298713

To resolve the problem, you may add NT4Emulator on Windows NT 4.0 PDC. Then
upgrade the domain controllers to Windows 2003 domain controller. In this
situation, a Windows 2000/XP client will no longer receive group policy nor
will it do Kerberos authentication. The Windows 2003 domain controller may
just work like a Windows NT 4.0 PDC. You can roll back the domain without
rejoining the workstations into domain.

In addition, clients use DNS to resolve "Testing.local" in a Windows 2003
domain, and WINS in a Windows NT domain. However, there is no DNS server to
accept the request when you took down the 2003 servers. You need to make
sure clients point to the correct DNS and WINS server in your test.

As for moving the computer accounts to another domain in batch, you can
refer to the following article:

Resetting computer accounts in Windows 2000 and Window s XP
http://support.microsoft.com/kb/216393/EN-US/

Description of Netdom.exe Syntax and Versions
http://support.microsoft.com/default.aspx?scid=kb;en-us;329721

Hope it helps. Any updates, let us get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Mtay23 · Guest

Frances,

For my test I ran DNS and WINS on a Win2000 member server. The clients were
all Win2000 Pro. When I would look at the domain listed in the computer
properties it had changed to "testing.local".

For my upgrade I upgrade the PDC then do a fresh install on another server,
move the FSMO roles and then reload the orginalo PDC from scratch. ending up
with 2 2003 servers, then turning off all of my NT servers.

By doing this will I cancel out any benefits provided by the NT4Emulator?

Also If I leave the PDC that was upgraded to 2003 with NT4Emulator intact
afterward instead of reloading it from scratch, and then decide to perform a
rollback, then all of my WIN2000 clients will be able to log into domain just
as they did prior to the upgrade without any Admin intervention?

Additionally, should I do a rollback this way, will my domain be down during
the rollback, or will my users be able to continue to work without
experiencing ill effects?

"Frances [MSFT]" wrote:

Frances [MSFT] · Guest

Hello Mark,

From your description, "testing.local" is a DNS name in the Windows 2003
domain.

As for your questions I would like to answer them in sequence.

1. By doing this will I cancel out any benefits provided by the
NT4Emulator?

A: Yes. Without NT4Emulator, all the Windows 2000/XP clients may only
authenticate with the new Windows Server 2003 DC. That is why your clients
cannot log onto the domain when you took down the 2003 servers. It will
also cause overload issue to the new Windows 2003 DC.
Without NT4Emulator, when you play the roll back process, your clients do
not recognize the PDC, so you have to manually rejoin the domain.
On the other hand, NT4Emulator is only an interim workaround. When you
upgrade all the BDC to Windows 2003, you may turn off the NT4Emulator.

2. Also If I leave the PDC that was upgraded to 2003 with NT4Emulator
intact afterward instead of reloading it from scratch, and then decide to
perform a rollback, then all of my WIN2000 clients will be able to log into
domain just as they did prior to the upgrade without any Admin intervention?

A: Yes. In this case, the clients can contact PDC when you have a roll
back. You needn't manually rejoin the workstations to the domain.
Note: If you update with NT4Emulator, when you add other Windows 2003 DCs,
you have to add NeutralizeNT4Emulator, otherwise, since the Windows 2003
member server does not consider it as a Normal Windows 2003 domain, the
promotion may not work.

Please refer to article 284937 to add NT4Emulator on Windows NT 4.0 PDC.
http://support.microsoft.com/?id=284937

3. Additionally, should I do a rollback this way, will my domain be down
during the rollback, or will my users be able to continue to work without
experiencing ill effects?

A: Generally speaking, this will not take a long time. However, I suggest
that you do the rollback at no business time for security reason.

Any updates, let us get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1