| Author |
Message |
TheKid71
Guest
|
 Posted:
Tue Feb 01, 2005 6:48 am Post subject:
ADMT and Single Domain |
|
|
Ok, this may have been beaten to death but I have a question. I have an NT 4
domain (call it dom1) which has 5 NT4 servers (1 PDC, 3 BDCs, and one
web/exchange 5.5) and about 500 computers (all W2K pro and XP Pro). The
hardware for my NT 4 servers will not support Windows 2003 Server (thank you
HP) so I have purchased 4 new servers. The old servers are still good and
there are a lot of applications and file shares that I do not want to move.
The original plan was to set up the new servers with a new domain (call it
dom2) set up AD, DNS, WINS, DHCP, IIS, and Exchange 2003 with Outlook for the
Web. Set up a trust between dom1 and dom2, then migrate the users and
computers from dom1 to dom2 and move the mailboxes from Exchange 5.5 to
Exchange 2003. Then demote the NT4 servers to member servers using Upromote.
Where I begin to have problems is the file and share permissions on the NT4
machines. What effect will the migration have on them? Say I have a file
share called “accounting” which has dom1\accountants with full control and
dom1\managers with read access. Then within that share one folder has
dom1\jsmith having change access. When these servers are migrated what will
happen to these permissions?
Alternatively, could I build my new servers with the same domain name and
settings (ie DNS, DHCP, etc) then use ADMT to migrate users and computers to
the new servers and then demote the old servers? I have not seen any chatter
about this type of upgrade and would like to know if it is possible to do
this. Any resources for this would be appreciated. |
|
| Back to top |
|
 |
Frances [MSFT]
Guest
|
| Posted:
Wed Feb 02, 2005 3:15 pm Post subject:
RE: ADMT and Single Domain |
|
|
Hello,
Good to hear from you.
You migration plan from NT to win2k3 is quite good.
Before you migrate, I strongly suggest that you download and read the
following documents about migrating from Windows NT 4.0 to Windows 2003:
Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-
8de0-19544062a6e6&DisplayLang=en
In addition, you mentioned Exchange in your plan. If you want more
information regarding Exchange, please post the question in the
microsoft.public.exchange.setup newsgroup since they are the experts in
Exchange and will provide the most accurate information on this issue.
As for your questions, I would like to answer them in order.
Q1. The file and share permissions on the NT4 machines. What effect will
the migration have on them? Say I have a file share called
??accounting? which has dom1\accountants with full control and
dom1\managers with read access. Then within that share one folder has
dom1\jsmith having change access. When these servers are migrated what
will happen to these permissions?
A: Do you mean the files and shares on DCs?
Generally speaking, resources on clients can be migrated to the new domain
in the computer migration process using ADMT. The permissions will remain.
If the resources is on the DC, there are two methods.
Method 1:
=======
1. Demote the DC to be a member server.
2. Migrate the resource in the computer migration process.
Method 2:
=======
Use robocopy to copy the resources with permission.
You can have more information in the following article.
RoboCopy Syntax
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre
f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre
f/en-us/robocopy_syntax.asp
What do you mean by "within that share one folder has dom1\jsmith having
change access"?
I believe that after migration, the permission will remain. That is to say,
if in the source domain, the file share has dom1\accountants with full
control and dom1\managers with read access. In that share, one folder has
dom1\jsmith access. Then after user migration, you now have the
corresponding dom2\accountants, dom2\managers and dom2\jsmith. In the
computer migration, if you choose "add" in the "security translation
options", then the permission will be as follows: the file share has
dom1\accountants, dom2\accountants with full control and dom1\managers,
dom2\managers with read access. In that share, one folder has dom1\jsmith
and dom2\jsmith access. If you choose "replace", all the dom1\users will
not access the shares now.
The 3 options in the "security translation options" are listed below for
your reference.
Add: This option maintains the source domain references on ACLs and adds
the corresponding target domain sIDs.
Replace: This option removes all ACL references to the source domain and
replaces them with entries for the target domain.
Remove: This option deletes references to source domain sIDs and does not
add any information for target domain security principals.
We recommend using Replace mode. The reason is listed in the article below.
Remigrating User Accounts and Workstations in Batches
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deplo
yguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/d
eployguide/en-us/dssbi_reer_zgwe.asp>
Q2. Alternatively, could I build my new servers with the same domain name
and settings (ie DNS, DHCP, etc) then use ADMT to migrate users and
computers to the new servers and then demote the old servers? I have not
seen any chatter about this type of upgrade and would like to know if it is
possible to do this. Any resources for this would be appreciated.
A: Please don't use the same domain name, DC names and DNS, DHCP
configuration. Potential problems will arise if the names are the same. You
will have trouble when creating trust if the DC name is the same since the
trust cannot identify the machines with the same name.
Migration is used to migrate from an old domain to a new domain. The
domains should not be the same. Migrate with the same name is very
complicated and not recommended.
Hope this helps. If you have any further questions, don't hesitate to get
in touch!
Best regards,
Frances He
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
TheKid71
Guest
|
| Posted:
Thu Feb 03, 2005 2:07 am Post subject:
RE: ADMT and Single Domain |
|
|
Thank you Frances. I guess I am in a bit of a pickle because our DHCP server
is scoped with public IP addresses. This was not my doing, the network was
in place when I took the job and no one has ever explained to me why they
went with a public IP address scope. I think that they wanted to avoid using
a proxy server and avoid the censorship and privacy issues. So, I am in a
position where the DHCP and DNS would have to be identical.
I also want to keep the NT4 servers online without having to move the shares
and folders, because they are massive.
Is there an upgrade path that will allow me to introduce a new W2K3 box into
my NT 4 domain and then set up AD within the domain? Then demote the NT 4
servers to member servers? I have not seen any information on this
particular upgrade path. I have seen where people promote a BDC, upgrade it
to W2K3 and AD, then demote all other NT4 servers. But my problem is HP does
not have drivers for W2K3 for my servers so I can not upgrade them to W2K3.
I did find drivers for Windows 2000 Server, but I do not have licenses for
Windows 2000 Server. I guess I am back to planning again. |
|
| Back to top |
|
|
Frances [MSFT]
Guest
|
| Posted:
Thu Feb 03, 2005 3:50 pm Post subject:
RE: ADMT and Single Domain |
|
|
Hello,
Regarding your scenario, it is recommended to upgrade to a win2k3 domain.
You can perform a "not in place" upgrade. In this way, you don't have to
upgrade your PDC and BDC to win2k3 directly. Instead, you install BDC on
the new computer, promote it to be PDC, and then upgrade to win2k3. I will
give you the detailed steps to perform such an upgrade.
As a kind reminder, please backup the whole system before you take any
action. Also, it is best if you perform the upgrade process during a
non-business time such as the weekend.
Performing a "not in place" upgrade
======================
1.Install NT 4.0 BDC on the new box.
Please assign a static IP address to this server to install DHCP server and
DNS server.
2. Replicate DHCP to the BDC.
Is your PDC holding the DHCP server?
130642 How to Move a DHCP Database to Another Windows Server
http://support.microsoft.com/?id=130642
3. Replicate DNS from PDC to BDC.
3.1 Manually create a secondary zone on the BDC to replicate for the zone
on the NT DNS server.
3.2 Transfer the zone over to the BDC.
3.3 Change the secondary zone on the BDC to a Standard Primary Zone.
Refer to the following article for more information.
DNS and MS Windows NT 4.0
http://www.microsoft.com/technet/archive/winntas/deploy/prodspecs/dnswp2.msp
x
4.Promote the BDC to the PDC, which demotes the PDC to a BDC.
5.Do a full backup of the former PDC and remove it from the network.
6.Upgrade the new PDC to Windows Server 2003.
If you want to expand the boot partition, please refer to the following KB:
325857 How To Expand the Boot Partition During a Windows Server 2003 Upgrade
http://support.microsoft.com/?id=325857
7.Use the Windows Server 2003 Active Directory wizard to turn on the
Active Directory service.
The Active Directory service imports the existing user accounts, groups,
and other settings from the PDC.
8.Run your new Windows Server 2003 domain controller with Active Directory
for a test period.
9.If desired you can do a clean installation of Windows Server 2003 on the
former PDC, and bring it online as an Active Directory domain controller.
10.Transfer all Flexible Single-Master Operation (FSMO) roles to the new
Windows Server 2003 domain controller.
11.Verify all directory information has replicated.
12.Demote the first domain controller to a member server, and remove from
the domain.
Regarding your questions, I would like to answer them in order.
Q1.Is there an upgrade path that will allow me to introduce a new W2K3 box
into my NT 4 domain and then set up AD within the domain?
A: You cannot introduce win2k3 DC into NT domain. Please use the "not in
place" upgrade to get the win2k3 domain you want.
Q2.Then demote the NT 4 servers to member servers?
A: There is no built-in tool to demote NT BDCs to member servers.
NT servers (BDCs) can be kept in a win2k3 domain when the domain level is
Windows 2000 mixed (default). However, I suggest that you use a third-party
tool (UPromote) to demote the BDCs to member servers and then raise the
domain level to enjoy more win2k3 domain features.
UPromote: Promote your NT Server to a Domain Controller
http://utools.com/UPromote.asp
Note: The third-party products that this article discusses are manufactured
by companies that are independent of Microsoft. Microsoft makes no
warranty, implied or otherwise, regarding the performance or reliability of
these products.
Hope this helps. If you have any further questions, don't hesitate to get
in touch!
Best regards,
Frances He
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in