Windows Server

Guest

Hello!

I have upgraded 1 of my domain to w2k3, changed the mode to native,
migrated printing, and all is good! Now comes the tough part - I have
to pull the trusted NT4 domain into the w2k3 domain. I have been
playing around with admtv2, but I was wondering if someone could advise
me in more detail. I understand the idea of first pulling in the
groups, then the users, then the computers, then the servers (doing the
user profiles somewhere in there), but I'm worried about lots of
downtime and users passwords not copying. Anyone done this before and
have some practical advice on the steps and how much downtime they will
require? My NT4 domain has about 100 computers and 150 users.
Thanks,
Nancy

Frances [MSFT] · Guest

Hello Nancy,

Thank you for posting!

From your message, I understand that your concerns are the downtime of the
process and the password migration.

As for the downtime, I cannot give you the exact time, as it is influenced
by the real environment and many other factors. I suggest that you do a
test and estimate the time.

As for the password part, I can give you the detailed process. I hope it
can help you.

To enable support for password migration:
I assume you logon to the win2k3 server with the admin privilege on both
domains and refer to the following instructions to migrate accounts.

Part I: Target Domain
---------------------

Complete the following steps on the domain controller in the target domain
on which you installed ADMT:

1. Insert a 3.5-inch disk into the floppy disk.

2. Open a command prompt, and then change to the directory on which you
installed ADMT. By default, this is the %SystemRoot%\Program Files\ folder.

3. Type the following command to create the encryption key to be used
during the migration of the user account passwords

"admt key <SourceDomainName><FloppyDrive> [*/password]" (without the
quotation marks) where:

- The admt command is the name of the executable program.
- The key command specifies the generation of an encryption key.
- <SourceDomainName> is the NetBIOS name of the domain that contains the
passwords that you want to migrate.
- <FloppyDrive> is the drive letter of the floppy disk drive where the
encryption key will be written.
- [*/password] is optional; if you use it, you can encrypt the key with a
password. You can either type the password or you can type "*" (without the
quotation marks) to receive a prompt for a password that is not displayed
on the screen. If you type a password, you need to use it when you complete
the setup in the source domain.

Part II: Source Domain
----------------------

Complete the following steps on the PES in the source domain:

1. Double-click the Pwdmig.exe file that is located in the \i386 folder on
the Windows Server 2003 CD-ROM.

2. Insert the 3.5-inch disk that you created when you receive the following
message:

Please insert the floppy into the floppy disk containing the password
encryption key for this source domain. Click OK to continue.

3. Type the password when you are prompted, and then click OK.

4. Click Next.

5. Click Finish.

6. Click Start, click Run, type regedit, and then click OK.

7. Locate the AllowPasswordExport registry value in the following registry
key:

HKLM\System\CurrentControlSet\Control\LSA

8. Double-click AllowPasswordExport.

9. Change the value "0" to "1", and then click OK.

10. Restart the computer for the settings to take effect.

The password migration solution in ADMT was designed to provide a secure
general solution to password migration. Here are the key features of this
solution:

The password export server (PES) works on Windows NT 4.0 domain controllers
(including systems that have SYSKEY installed), on Windows 2000 domain
controllers, and on Windows Server 2003 domain controllers.

More info:

832221 How to configure the Active Directory Migration Tool to migrate user
passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain
<http://support.microsoft.com/?id=832221>

Enabling Password Migration
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbg_rent_erud.asp

How to Troubleshoot Inter-Forest Password Migration with ADMTv2
http://support.microsoft.com/default.aspx?scid=kb;en-us;322981

Hope it helps. If you have any further questions don't hesitate to get in
touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Guest

Thanks for the information, Frances!

I still have some more questions, however. I am concerned about the
migration of groups, accounts, and machines, and how "effeiciently"
admtv2 will do this, especially en masse. Also, I'm wondering if there
is a paper specifically on pulling an NT4 domian into a W2K3 root
domain (which is what I'm doing). I need to guarantee that the morning
after the migration, a user can log on to her machine, using her own
account, her old password, and access her old shares (all the while
being unaware that she is actually logging on to the new and improved
2003 domain!).

Thanks,
Nancy

Frances [MSFT] wrote:

Frances [MSFT] · Guest

Hello Nancy,

According to your message, I assume that you want some basic information
about migrating NT domain to win2kd domain.

Generally, we can use the ADMT tool to migrate from the old Windows NT4
domain to a new Windows 2003 domain. The migration process goes like the
following.

1. Setup a new Windows Server 2003 DC in the new domain.

2. Create the trust relationship between the two domains.

3. Use the ADMT to migrate data from the old domain to the new domain. Run
win2k3 for a period of time to make sure the network can be functional.

4. Remove the original NT 4 domain.

Before you migrate, I strongly suggest that you download and read the
following documents about migrating from Windows NT 4.0 to Windows 2003.

Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-
8de0-19544062a6e6&DisplayLang=en

Solution Accelerator for Domain Server Consolidation and Migration: Windows
NT 4.0 to Windows Server 2003
http://www.microsoft.com/technet/itsolutions/techguide/msa/solacc/dmcnmg/dcm
plg.mspx

As the migration process is complicated and takes some time, it is best if
you perform the process during a non-business time such as the weekend.

In addition, I would like to give you the following information.

The Recommended Migration Order is listed below for your reference:
=================================================
1. Trust migration (UI Only)
2. Service account migration
3. Domain Global Group
4. Domain Local Group
5. User migration
6. Computer migration
7. Security translation
8. Report

In the computer migration process, please note that you need manually
restart win98 machines because the win98 clients don't have RPC service.

Regarding ADMT, you can have more information in the following article.

Active Directory Migration Tool Overview
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.
asp

Hope it helps. If you have any further questions don't hesitate to get in
touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Guest

Hello!

Thanks again for your info, Frances, but I guess my more specific
question is regarding pulling the existing (and trusted) NT4 domain
*into* the existing W2K3 domain (maybe it will help to understand my
office's situation: we were recently "merged" with another IT unit,
and we both had domains. The NT domains were trusted earlier, and now
I need to unify the 2 domains into one). Maybe I'm making it more
complicated than it is -

Nancy

Frances [MSFT] · Guest

Hello Nancy,

According to your message, you need to restructure your domain
configuration. The NT domain is trusted, and you already have a win2k3
domain. Your goal is to migrate the existing NT domain to the existing
win2k3 domain. Is it correct?

I believe ADMTv2 is the best tool you need to achieve your goal. I can
offer you more information about migrating NT to win2kd domain. I suggest
that you make an environment in the lab to have a test. In this way, you
can know how ADMT works.

The following is a training media; please pay more attention to the
restructure part, and ADMT part.

Migrating from Windows NT Server 4.0 to Windows Server 2003
<http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/200303
24TNT1-74/manifest.xml>

Hope this helps. If you have any further questions don't hesitate to get in
touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1