Windows Server

TagaR · Guest

I have three questions;

1. With W2K3 AD and NT4 domain with external 2-way trusts, can we add an
account or group from w2k3 domani to a global group in the NT4 domoain?

2. If I have a child domain, is there an automatic trusts between my child
to the nt4 domain?

3. Would there be a difference in migrating users from nt4 domain to a child
domain? I have done this already in my root domain. What about the password
export?

Thanks
TagaR

Jack Wang [MSFT] · Guest

Hi

Thank you for posting!

Please refer to the following information for your questions.

1. You may add an account or group from Windows Server 2003 domain to a
local group in the NT4 domoain. The global group can be added in a group of
the Windows Server 2003 domain. Local group in NT4 domain is used to add
accounts from other domains while global group is used to be added in other
domains.

2. Since Windows NT domain doesn't have child domain, I assume that the
child domain belongs to the Windows Server 2003 domain. Since the trust in
Windows NT domain is not transitive, the child domain will not trust the
Windows NT domain automatically. You need to create it manually.

3. There is no difference to migrate users from NT4 domain to a child
domain except that the user accounts will be created in the child domain's
AD database. However, if you have migrated the users to the Windows Server
2003 root domain, it's not neccessory to do it again.

As for the password part, please refer to the following information.

To enable support for password migration:
I assume you logon to the win2k3 server with the admin privilege on both
domains and refer to the following instructions to migrate accounts.

Part I: Target Domain
---------------------

Complete the following steps on the domain controller in the target domain
on which you installed ADMT:

1. Insert a 3.5-inch disk into the floppy disk.

2. Open a command prompt, and then change to the directory on which you
installed ADMT. By default, this is the %SystemRoot%\Program Files\ folder.

3. Type the following command to create the encryption key to be used
during the migration of the user account passwords

"admt key <SourceDomainName><FloppyDrive> [*/password]" (without the
quotation marks) where:

- The admt command is the name of the executable program.
- The key command specifies the generation of an encryption key.
- <SourceDomainName> is the NetBIOS name of the domain that contains the
passwords that you want to migrate.
- <FloppyDrive> is the drive letter of the floppy disk drive where the
encryption key will be written.
- [*/password] is optional; if you use it, you can encrypt the key with a
password. You can either type the password or you can type "*" (without the
quotation marks) to receive a prompt for a password that is not displayed
on the screen. If you type a password, you need to use it when you complete
the setup in the source domain.

Part II: Source Domain
----------------------

Complete the following steps on the PES in the source domain:

1. Double-click the Pwdmig.exe file that is located in the \i386 folder on
the Windows Server 2003 CD-ROM.

2. Insert the 3.5-inch disk that you created when you receive the following
message:

Please insert the floppy into the floppy disk containing the password
encryption key for this source domain. Click OK to continue.

3. Type the password when you are prompted, and then click OK.

4. Click Next.

5. Click Finish.

6. Click Start, click Run, type regedit, and then click OK.

7. Locate the AllowPasswordExport registry value in the following registry
key:

HKLM\System\CurrentControlSet\Control\LSA

8. Double-click AllowPasswordExport.

9. Change the value "0" to "1", and then click OK.

10. Restart the computer for the settings to take effect.

The password migration solution in ADMT was designed to provide a secure
general solution to password migration. Here are the key features of this
solution:

The password export server (PES) works on Windows NT 4.0 domain controllers
(including systems that have SYSKEY installed), on Windows 2000 domain
controllers, and on Windows Server 2003 domain controllers.

More info:

832221 How to configure the Active Directory Migration Tool to migrate user
passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain
<http://support.microsoft.com/?id=832221>

Enabling Password Migration
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbg_rent_erud.asp

How to Troubleshoot Inter-Forest Password Migration with ADMTv2
http://support.microsoft.com/default.aspx?scid=kb;en-us;322981

Hope it helps. If you have any further questions don't hesitate to get in
touch!

Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Adding AD Account to NT Global
| thread-index: AcUByMKAzAmwt3K7QCWO/nFz13t6oQ==
| X-WBNR-Posting-Host: 154.20.180.71
| From: "=?Utf-8?B?VGFnYVI=?=" <TagaR@discussions.microsoft.com>
| Subject: Adding AD Account to NT Global
| Date: Sun, 23 Jan 2005 19:57:01 -0800
| Lines: 14
| Message-ID: <B843756D-03A3-4A60-B6EE-41E1C48AFF19@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:16751
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| I have three questions;
|
| 1. With W2K3 AD and NT4 domain with external 2-way trusts, can we add an
| account or group from w2k3 domani to a global group in the NT4 domoain?
|
| 2. If I have a child domain, is there an automatic trusts between my
child
| to the nt4 domain?
|
| 3. Would there be a difference in migrating users from nt4 domain to a
child
| domain? I have done this already in my root domain. What about the
password
| export?
|
| Thanks
| TagaR
|

TagaR · Guest

Hi Jack,

Thanks for your reply. I have follow-up questions below.

"Jack Wang [MSFT]" wrote:

Jack Wang [MSFT] · Guest

Hi

Thank you for the update. If I am correct, you would like to set
permissions for some accounts in the Windows Server 2003 domain from a
member server in the Windows NT domain. If so, I suggest you use the
following method.

1. Create a group in the Windows Server 2003 domain and add the accounts to
it.

2. On the member server of the Windows NT domain, use the group of the
Windows Server 2003 domain directly to set permissions. Since you have
created two-way trusts, you should have the option to do so.

If I have misunderstood your concern, please let me know your goal in
detail. As for the pes file, you need to recreate it since the target
domain is changed.

Hope this helps!

Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Adding AD Account to NT Global
| thread-index: AcUCQFg1xst9gSx+SFicG1mysxSoaw==
| X-WBNR-Posting-Host: 208.181.95.110
| From: "=?Utf-8?B?VGFnYVI=?=" <TagaR@discussions.microsoft.com>
| References: <B843756D-03A3-4A60-B6EE-41E1C48AFF19@microsoft.com>
<1DiF0OeAFHA.644@cpmsftngxa10.phx.gbl>
| Subject: RE: Adding AD Account to NT Global
| Date: Mon, 24 Jan 2005 10:13:03 -0800
| Lines: 35
| Message-ID: <3AF402DF-D52E-44F4-B987-D0E2E57EC781@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:16780
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Hi Jack,
|
| Thanks for your reply. I have follow-up questions below.
|
| "Jack Wang [MSFT]" wrote:
|
| > Hi
| >
| > Thank you for posting!
| >
| > Please refer to the following information for your questions.
| >
| > 1. You may add an account or group from Windows Server 2003 domain to a
| > local group in the NT4 domoain. The global group can be added in a
group of
| > the Windows Server 2003 domain. Local group in NT4 domain is used to
add
| > accounts from other domains while global group is used to be added in
other
| > domains.
|
| The local group in NT is only accessible within the controllers and can't
be
| assign permission to resources on member servers that's why they are in
| global. I can assign them to w2k3 local group only but not to a global or
an
| account. I guess if this is the case, I don't have a way around it? The
| global groups we have are used to assign permissions to ERP users.
|
| > 3. There is no difference to migrate users from NT4 domain to a child
| > domain except that the user accounts will be created in the child
domain's
| > AD database. However, if you have migrated the users to the Windows
Server
| > 2003 root domain, it's not neccessory to do it again.
|
| I have already done some successful migrations from nt4 to w2k3 root
domain.
| And I need to migrate some of the accounts from nt4 to child domain.
SHould I
| create again a pes file from my child domain target and install it to the
nt4
| source domain?
|
|
|

TagaR · Guest

Jack Wang [MSFT] · Guest

Hi

This is correct. The Member Of tab on a user object displays only the group
membership for the local domain. This is by design. However, this user is
still a member of the universal group.

Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

BCPS:https://partner.microsoft.com/US/technicalsupport/supportoverview/40010
469
Others:https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/default.aspx?scid=%2finternational.aspx.
======================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Adding AD Account to NT Global
| thread-index: AcUDPlF3QltexQzMQ/y9wwxANR6GfA==
| X-WBNR-Posting-Host: 209.52.187.106
| From: "=?Utf-8?B?VGFnYVI=?=" <TagaR@discussions.microsoft.com>
| References: <B843756D-03A3-4A60-B6EE-41E1C48AFF19@microsoft.com>
<1DiF0OeAFHA.644@cpmsftngxa10.phx.gbl>
<3AF402DF-D52E-44F4-B987-D0E2E57EC781@microsoft.com>
<eVDJ8wrAFHA.2504@cpmsftngxa10.phx.gbl>
| Subject: RE: Adding AD Account to NT Global
| Date: Tue, 25 Jan 2005 16:31:03 -0800
| Lines: 17
| Message-ID: <AC4997B0-A16C-4B93-A62B-6D0DBC61E18C@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:16815
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| > Thank you for the update. If I am correct, you would like to set
| > permissions for some accounts in the Windows Server 2003 domain from a
| > member server in the Windows NT domain. If so, I suggest you use the
| > following method.
| >
| > 1. Create a group in the Windows Server 2003 domain and add the
accounts to
| > it.
|
| Jack,
|
| I created a universal group in my root domain and added a local domain
| account ,and also added an account John Doe which belongs to my child
domain.
| However, when I checked John Doe's account properties members of, it does
not
| list his membership in the root domain. Is this correct?
|
| Thanks
| TagaR
|

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1