| Author |
Message |
SG
Guest
|
 Posted:
Fri Jan 14, 2005 9:35 pm Post subject:
** Please Advise ** NT4 -> 2003 Upgrade Plan !! |
|
|
Going to upgrade NT4 domain to 2003 AD. I have tested the process in test
lab. All was ok except the fallback test with a laptop from the NT4 domain.
I plugged into the test domain with the laptop and was able to login and the
pc's fqdn changed to the AD domain name, basically appending the .com I used
from the netbios name. As seen in other posts, I was unable to fallback to
the NT4 production domain with the laptop after I was on the test AD network
for some time. The message was "the computer account in its primary domain
is missing or the password on that account is incorrect". The current setup
includes PDC and one BDC in main office. One BDC in each of 4 remote
offices. We will be upgrading/replacing both the PDC and BDC in the main
office to 2003 and both will be DC's. My plan is as follows:
1) Install new nt4 BDC and promote to PDC. Synchronize domain and remove
former PDC (now BDC).
2) Upgrade to 2003 AD on current PDC.
3) Install fresh 2003 Server on a brand new pc and join domain. Run dcpromo
to make as DC. Enable as Global Catalog. Force Synchronize both DC's.
4) Run dcpromo on first DC (pc upgraded in step 2) to demote and force all
roles to newly installed 2003 machine in step 3.
5) Install fresh 2003 Server on another new pc and join domain. Run dcpromo
to make as DC. Enable as Global Catalog.
6) Remove Global Catalog from pc in step 3 since it will be the
infrastructure master.
Result: 2 freshly installed 2003 DC's with all user and computer accounts
intact.
My questions are:
1) Is there anything wrong or missing with this plan?
2) Should I use the NT4Emulator registry entry on all pc's that are going to
be 2003 DC's for purpose of fallback plan? If so, when is it ok to remove
the setting to force clients to append the domain suffix? I need the
fallback plan to work in case it is called upon. It's useless to remove a
BDC for a fallback plan just to have all client pc's to not work or have
invalid computer accounts when used with the old NT4 domain, per my
experience in first paragraph.
3) What will remote office users/computers experience when they log onto
network after upgrading domain to 2003 AD? Their local DC will still be a
NT4 BDC for some time. Will they authenticate successfully to their local
BDC or will they go accross the WAN link to authenticate with the new 2003
DC's, even though they will NOT be using AD dns servers? The AD dns
structure will expand to remote offices as each office BDC is upgraded to
2003. In other words, the remote office clients will still use their current
dns server entries and not point to the new dns servers in AD. WINS will
still be used on network to resolve server names. Only the local clients to
the new 2003 DC's will use the new AD dns servers.
4) If using NT4 Emulation on DC's, will Pro and XP clients local to the 2003
DC's still process group policies? Remote office XP/Pro clients will NOT
process group policies regardless of NT4 Emulation since they don't know
about the AD dns servers, correct?
Thanks in advance for any response, tips, assistance with this post.
SG |
|
| Back to top |
|
 |
Brian Desmond [MVP]
Guest
|
| Posted:
Sun Jan 16, 2005 10:39 am Post subject:
Re: ** Please Advise ** NT4 -> 2003 Upgrade Plan !! |
|
|
Hi there,
As far as the error you're receiving, this is expected behavior. The
computer has changed its machine account password on its schedule (ususally
every 30 days), and now it has a different password than when it was in the
NT4 domain.
I've answered the rest of your points inline below.
--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us
www.briandesmond.com
| Quote: | 1) Install new nt4 BDC and promote to PDC. Synchronize domain and remove
former PDC (now BDC).
2) Upgrade to 2003 AD on current PDC.
3) Install fresh 2003 Server on a brand new pc and join domain. Run
dcpromo
to make as DC. Enable as Global Catalog. Force Synchronize both DC's.
4) Run dcpromo on first DC (pc upgraded in step 2) to demote and force all
roles to newly installed 2003 machine in step 3.
5) Install fresh 2003 Server on another new pc and join domain. Run
dcpromo
to make as DC. Enable as Global Catalog.
6) Remove Global Catalog from pc in step 3 since it will be the
infrastructure master.
|
If this is a single domain environment, you do not need to do item 6, just
mark all your DCs GCs. This is only relevant in a multidomain environment.
| Quote: |
Result: 2 freshly installed 2003 DC's with all user and computer accounts
intact.
My questions are:
1) Is there anything wrong or missing with this plan?
2) Should I use the NT4Emulator registry entry on all pc's that are going
to
be 2003 DC's for purpose of fallback plan? If so, when is it ok to remove
the setting to force clients to append the domain suffix? I need the
fallback plan to work in case it is called upon. It's useless to remove a
BDC for a fallback plan just to have all client pc's to not work or have
invalid computer accounts when used with the old NT4 domain, per my
experience in first paragraph.
|
The NT4Emulator reg key is not a fall back option. It is to prevent all your
2k/XP/2003 clients from immediately swamping the new DC. See this KB for
more info http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284937.
| Quote: |
3) What will remote office users/computers experience when they log onto
network after upgrading domain to 2003 AD? Their local DC will still be a
NT4 BDC for some time. Will they authenticate successfully to their local
BDC or will they go accross the WAN link to authenticate with the new 2003
DC's, even though they will NOT be using AD dns servers? The AD dns
structure will expand to remote offices as each office BDC is upgraded to
2003. In other words, the remote office clients will still use their
current
dns server entries and not point to the new dns servers in AD. WINS will
still be used on network to resolve server names. Only the local clients
to
the new 2003 DC's will use the new AD dns servers.
|
My experience is that sometimes the clients need a reboot after the upgrade.
Not always, though. Without the NT4Emulator, the PCs will go across the WAN
to a 2003 DC. Your clients need access to the AD DNS infrastructure whether
they'll be talking to a BDC or not. You need to fix this right away. 2k+
clients will need to locate the PDC emulator, global catalogs, site
information, etc.
| Quote: |
4) If using NT4 Emulation on DC's, will Pro and XP clients local to the
2003
DC's still process group policies? Remote office XP/Pro clients will NOT
process group policies regardless of NT4 Emulation since they don't know
about the AD dns servers, correct?
|
GP will not be processed unless there is a NeutralizeNT4Emulator reg key on
teh client. See above about DNS, you can't do what you're planning as far as
skipping the DNS goes.
| Quote: |
Thanks in advance for any response, tips, assistance with this post.
SG
|
|
|
| Back to top |
|
|
SG
Guest
|
| Posted:
Tue Jan 18, 2005 2:08 am Post subject:
Re: ** Please Advise ** NT4 -> 2003 Upgrade Plan !! |
|
|
Thanks for the response.
I have followed the plan outlined in my previous post and all appears to be
working fine. I realize not having the dns structure fully installed could
lead to potential problems, but I have the 2003 DC's running in emulation
and the NT4 BDC's are properly being updated by the PDC emulator, i.e
account changes and such. I am under the impression that running the
NT4Emulator keys on the DC's keep all clients in the dark about using 2003
DC's? I can logon just fine in the remote office (via VNC/RDP) with any
valid user account with no delays. I am still running WINS and replicating
as before (HUB-SPOKE) and all servers in all offices are accessible via
browsing the network from any location on the WAN. Why would dns be a
problem in the remote offices if nothing changed in respect to the local BDC
and they can successfully authenticate? My plan is to upgrade each office DC
to 2003 with emulation keys and implement dns during each upgrade process to
that remote office. When all of the offices have a local 2003 DC / AD DNS
implementation, I was going to remove the keys to start implementing AD
functionality, i.e. GPO,etc. Many users travel to the main office, so if I
didn't use the emulation keys on the new 2003 DC's and they login while at
the main office, their machine would be updated to the new domain name. I
didn't want the user to have problems when logging on the the network when
back in their "remote" office since there will be no 2003 DC and no AD dns
locally. Is this correct thinking or am I missing something? I don't want
remote clients to authenticate accross the WAN if I can help it.
Do you think it will be ok to put in the neutralize key for the 2000/xp
clients that are local to the 2003 DC's and will never be logging into the
network from a remote office?
Also, I am getting a lot of ANONYMOUS LOGON entries in the security log on
the 2003 DC and was wondering if you or anyone can shed some light on this:
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x9A815)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TAYLOR
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.239
Source Port: 0
Can I atleast NTLMv2 on the domain and refuse LM/NTLM? Will the NT4 BDC's
function correctly? They are up to SP6a.
Thanks for all the help.
SG
"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:uVBERV4#EHA.2156@TK2MSFTNGP10.phx.gbl...
| Quote: | Hi there,
As far as the error you're receiving, this is expected behavior. The
computer has changed its machine account password on its schedule
(ususally
every 30 days), and now it has a different password than when it was in
the
NT4 domain.
I've answered the rest of your points inline below.
--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us
www.briandesmond.com
1) Install new nt4 BDC and promote to PDC. Synchronize domain and remove
former PDC (now BDC).
2) Upgrade to 2003 AD on current PDC.
3) Install fresh 2003 Server on a brand new pc and join domain. Run
dcpromo
to make as DC. Enable as Global Catalog. Force Synchronize both DC's.
4) Run dcpromo on first DC (pc upgraded in step 2) to demote and force
all
roles to newly installed 2003 machine in step 3.
5) Install fresh 2003 Server on another new pc and join domain. Run
dcpromo
to make as DC. Enable as Global Catalog.
6) Remove Global Catalog from pc in step 3 since it will be the
infrastructure master.
If this is a single domain environment, you do not need to do item 6, just
mark all your DCs GCs. This is only relevant in a multidomain environment.
Result: 2 freshly installed 2003 DC's with all user and computer
accounts
intact.
My questions are:
1) Is there anything wrong or missing with this plan?
2) Should I use the NT4Emulator registry entry on all pc's that are
going
to
be 2003 DC's for purpose of fallback plan? If so, when is it ok to
remove
the setting to force clients to append the domain suffix? I need the
fallback plan to work in case it is called upon. It's useless to remove
a
BDC for a fallback plan just to have all client pc's to not work or have
invalid computer accounts when used with the old NT4 domain, per my
experience in first paragraph.
The NT4Emulator reg key is not a fall back option. It is to prevent all
your
2k/XP/2003 clients from immediately swamping the new DC. See this KB for
more info http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284937.
3) What will remote office users/computers experience when they log onto
network after upgrading domain to 2003 AD? Their local DC will still be
a
NT4 BDC for some time. Will they authenticate successfully to their
local
BDC or will they go accross the WAN link to authenticate with the new
2003
DC's, even though they will NOT be using AD dns servers? The AD dns
structure will expand to remote offices as each office BDC is upgraded
to
2003. In other words, the remote office clients will still use their
current
dns server entries and not point to the new dns servers in AD. WINS will
still be used on network to resolve server names. Only the local clients
to
the new 2003 DC's will use the new AD dns servers.
My experience is that sometimes the clients need a reboot after the
upgrade.
Not always, though. Without the NT4Emulator, the PCs will go across the
WAN
to a 2003 DC. Your clients need access to the AD DNS infrastructure
whether
they'll be talking to a BDC or not. You need to fix this right away. 2k+
clients will need to locate the PDC emulator, global catalogs, site
information, etc.
4) If using NT4 Emulation on DC's, will Pro and XP clients local to the
2003
DC's still process group policies? Remote office XP/Pro clients will NOT
process group policies regardless of NT4 Emulation since they don't know
about the AD dns servers, correct?
GP will not be processed unless there is a NeutralizeNT4Emulator reg key
on
teh client. See above about DNS, you can't do what you're planning as far
as
skipping the DNS goes.
Thanks in advance for any response, tips, assistance with this post.
SG
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in