Windows Server

wsmith · Guest

Greetings.

My question: Is it possible to migrate users with passwords intact
from one 2003 forest in mixed mode to another 2003 forest in mixed
mode, without changing the passwords?

We have reason to collapse our old forest and move to a new one, but
sadly it will need to remain in mixed mode for some time to come due to
legacy OS's.

I have successfully moved computer and user objects, but when I try and
move the password with the user, it fails with access denied. I have
created my Password encryption floppy, and set up ADMT and installed
the Password migration DLL. All needed accounts are local
administrators on the domains in each forest.

I can migrate accounts no problem if the password is not kept with the
account. Its only when I try and move the password that it fails.

I have followed the info on this page:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbg_rent_erud.asp

Is this possible or is Native mode required?
Thanks much for any guidance.

mote · Guest

Native Mode is a requirement.
By legacy OS do you mean Windows NT BDCs?

cheers

"wsmith" <shoppa31@hotmail.com> wrote in message
news:1105712715.229331.309510@c13g2000cwb.googlegroups.com...

Rebecca Chen [MSFT] · Guest

Hi Smith,

Yes, as Mote has stated, ADMT need to be installed in Windows 2000 Native
Mode or greater. The ADMT wizard will also check to see if the target
domain is in Windows 2000 Native Mode or greater, and progress will halt if
that condition is unmet. This is the requirements when you migrate user and
group account migration:

User & Group Account Migration

- The source domain must trust the target domain.
- The target domain must be in Windows 2000 Native Mode or greater.
- The user account used to run ADMT must have administrative privileges in
the source domain.
- The user account used to run ADMT must have delegated permissions for the
target OU.
- NetBIOS and host name (DNS) resolution

In my opinion, there is no workaround to migrate account and password in
Mixed Mode.

Please take a look at the following link:

How to Use Active Directory Migration Tool Version 2 to Migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;326480

Active Directory Migration Tool Overview
http://w
ww.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.asp

You can download ADMT from the link below:

Windows 2000 Active Directory Migration Tool
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp

Any questions, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

wsmith · Guest

Thanks so much for the replies.

Finally worked it out, all NT BDC's will be decommissioned.
So I should be good to go for the Native mode, but one last question
remains...

In addition to 5000 2k/xp machines, I have over 1000 windows 95/98
machines that will need to become members of the new 2003 native
domain. Will it be a problem joining them ?
They also connect back to many shares via net use command in scripts,
will this become a problem?

Thanks again for any input.
Rebecca Chen [MSFT] wrote:

Rebecca Chen [MSFT] · Guest

Hi Smith,

I understand.

As the win95/98 machines, my opinion is to upgrade them to win2k or above
if possible. You will encounter some problems when win95/win98/ME system
logon to the win2k3 domain.

By default, security settings on domain controllers running Windows Server
2003 are configured to help prevent domain controller communications from
being intercepted or tampered with by malicious users. For users to
successfully negotiate communications with a domain controller that runs
Windows Server 2003, these default security settings require that client
computers use both server message block (SMB) signing and encryption or
signing of secure channel traffic. Clients that run Windows NT 4.0 with SP2
or earlier installed and clients that run Windows 95 do not have SMB packet
signing enabled and cannot authenticate to a Windows Server 2003 domain
controller.

I strongly recommend you carefully read the following article before you
upgrade the domain to win2k3:

How to enable Windows 98/ME/NT clients to logon to Windows 2003 based
Domains

http://support.microsoft.com/?kbid=555038

From the article above, you need to install DSclient on win95/win98/ME
system.

DSclient can be downloaded from the link below:

Active Directory Client Extensions for Windows 95/98 and Windows NT 4.0
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte
nsion.asp

In addition, you may also encounter the following issues:

Error Message When Windows 95 or Windows NT 4.0 Client Logs On to Windows
Server 2003 Domain

http://support.microsoft.com/default.aspx?scid=kb;en-us;811497&FR=1&PA=1&SD=
HSCH

272594 Problems logging on to a Windows 2000-based server or a Windows
http://support.microsoft.com/?id=272594

With regards to the net use script, I cannot say it will work since I am
not sure how the script is developed. If this script only contains net use
command, probably it can be used in the new domain.

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1