Client Has BIG Domain Mess... NT/2000 Conflict

[Mike]

I have a new client with a BIG mess in their domain configuration. It
was an existing Windows NT 4.0 domain, single server, and their former
support company set up a new Windows 2000 active directory domain
controller with the same Netbios domain name as the original domain.
Essentially, this has created two seperate domains. This obviously
caused all kinds of problems for the workstations logging in and
accessing resources in the two domains, so the former support guy has
all the worstations logging in locally and mapping drives instead of
loggin into the domain.

Somehow, if you look in server manager on the NT4 box, it sees itself
as the PDC and the 2K box as a BDC. If you look in AD Users and
Computers on the 2K box, it sees itself as the only domain controller.
The new 2K server is running a vendor-installed database application,
so I'd rather not rebuild it if I can avoid it. I know I can rebuild
it as a NT BDC, promote to PDC, and upgrade to Win2K to resolve the
domain problem, but I'm not sure how to handle the database app so I'd
rather not go this route.

According to the client, the NT4 box is still needed for now, it's
running resources that cannot be moved to the Win2K box. If the NT box
could be eliminated, I could disjoin all the workstations from the NT
domain, and re-join to the 2K domain and run all resources on the 2K
box. Unfortunately, this isn't possible according to the client.

So I'm stuck between a rock and a hard place. Anyone have any
suggestions?

Any help is greatly appreciated.

Thanks,
Mike

 

[Nathan]

-----Original Message-----

I have a new client with a BIG mess in their domain

Find out exactly what they need from the NT4 server, I
would imagine it's mostly file and printer shares since
they are not using much frmo either domain at this point.
decommission the NT4 domain and you should be able to move
the NT4 server into a workgroup.

At this point you are no worse than when you had two
domains, but you might have to re-create a few users as
local users to the NT4 server. I would create the users
as requested and find out what resources they NEED from
the NT4 server in that way.

If you deny them access to their data and they continue
on "business as usual" then they didn't need anything.
This may seem cruel, but if the client can't tell you what
they need, you have a way to "test" for it.

Just be sure you can restore their access quickly before
you hide that NT4 server from them. If it's printer
shares and file shares, start moving the files and
printers to the new AD infrastructure as they request
access to it.

Get good backups of BOTH servers before you start any work
for this client!

 

[Guest]

Dude, this situation just sucks. I'd need to hear a bit more about the reasons you can't migrate the application. But I think you would be smart to reverse the rolls here. Setup the users in AD and set it up like you would for a place that only had one server. Next thing you want to do, is use something like DCdemote and drop the NT4 server out of server status. Then make it just a member of the W2K domain. The application still runs, and the server still does the work, it retains it's name, but doens't do any of the server stuff, and will stop making conflicts..

Another solution, would be to make a new domain for the AD stuff.. setup all the users, build the trusts.. and live with two domains, one for the users/computer, another for apps, but that gets to be a pain to manage.

 

[SaltPeter]

I have a new client with a BIG mess in their domain configuration. It
was an existing Windows NT 4.0 domain, single server, and their former
support company set up a new Windows 2000 active directory domain
controller with the same Netbios domain name as the original domain.
Essentially, this has created two seperate domains. This obviously
caused all kinds of problems for the workstations logging in and
accessing resources in the two domains, so the former support guy has
all the worstations logging in locally and mapping drives instead of
loggin into the domain.

Sounds more like the "former support company" is responsible for this
situation. The NT4 PDC can't support an AD based domain and W2K can't be
serving as a BDC in an NT4 network. These 2 facts violate 2 fundamental
issues in any W2K domain architecture. You are already aware of that.

I'ld suggest Installing NT4 on a newer server, promoting it to a PDC and
upgrading it to a root W2K so you can serve a domain thats upgraded from the
existing NT4 domain. The result will be a domain that supports both the
netbios namespace and a new W2K DNS namespace.

Whats certain is that in your situation, this should be carried out by
former support company. That or meet the lawyers. Seriously. There is no
excuse possible.

Somehow, if you look in server manager on the NT4 box, it sees itself
as the PDC and the 2K box as a BDC. If you look in AD Users and
Computers on the 2K box, it sees itself as the only domain controller.
The new 2K server is running a vendor-installed database application,
so I'd rather not rebuild it if I can avoid it. I know I can rebuild
it as a NT BDC, promote to PDC, and upgrade to Win2K to resolve the
domain problem, but I'm not sure how to handle the database app so I'd
rather not go this route.

Sounds like 2 unique domains but the netbios half of the W2K architecture is
taking its data from an illegal NT4 PDC. This is a good example of
"undefined behaviour".

According to the client, the NT4 box is still needed for now, it's
running resources that cannot be moved to the Win2K box. If the NT box
could be eliminated, I could disjoin all the workstations from the NT
domain, and re-join to the 2K domain and run all resources on the 2K
box. Unfortunately, this isn't possible according to the client.

Keep the NT4 system. Install another NT4 server. Promote it to demote the
older NT4 down to a BDC. As long as you migrate to W2K from an NT4 PDC and
keep the W2K domain running in mixed mode, you'll need not disactivate the
original NT4 BDC.

Of course, this probably means having to dissamble + recreate your W2K
domain. If that isn't a perfect solution, its still probably the better
solution(since the W2K domain is not conforming to a defined W2K
environment). You might try demoting the NT4 PDC and promote it to a new
unique NT4 domain + add a trust relationship to existing W2K domain, but
chances are that the W2K installation itself is damaged and will fail to
operate/replicate the netbios half of the W2K mized domain once the NT4 PDC
is disabled.

So I'm stuck between a rock and a hard place. Anyone have any
suggestions?

Yes, let the former support company fix their blunder.

 

[Phillip Windell]

that only had one server. Next thing you want to do, is use something like
DCdemote and drop the NT4 server out of server status. Then make it just
a member of the W2K domain. The application still runs, and the server

still

You can't. Once NT40 is a DC it is a DC "for life". It's not like Win2k or
2k3.

 

[Phillip Windell]

Well I guess I might as well chime in too....

According to the client, the NT4 box is still needed for now, it's
running resources that cannot be moved to the Win2K box.

They probably don't know what they really need or they wouldn't have gotten
into such a stupid situation. They may need the NT machine due to
Applications running in it, but that does *not* mean it has to be a domain
Controller. Just migrate the Applications that only run on NT to another NT
machine.

If the NT box
could be eliminated, I could disjoin all the workstations from the NT
domain, and re-join to the 2K domain and run all resources on the 2K
box. Unfortunately, this isn't possible according to the client.

You job as an "IT Guy" isn't to trust them at their word that they need
something a certain way,...if they knew well enough what they needed and
what they were doing they wouldn't need you. Your job is to find out what
they *really* need,...convince them of it,...then do what needs to be done.

 

[Jeff Cochran]

I have a new client with a BIG mess in their domain configuration. It
was an existing Windows NT 4.0 domain, single server, and their former
support company set up a new Windows 2000 active directory domain
controller with the same Netbios domain name as the original domain.
Essentially, this has created two seperate domains. This obviously
caused all kinds of problems for the workstations logging in and
accessing resources in the two domains, so the former support guy has
all the worstations logging in locally and mapping drives instead of
loggin into the domain.

Somehow, if you look in server manager on the NT4 box, it sees itself
as the PDC and the 2K box as a BDC. If you look in AD Users and
Computers on the 2K box, it sees itself as the only domain controller.
The new 2K server is running a vendor-installed database application,
so I'd rather not rebuild it if I can avoid it. I know I can rebuild
it as a NT BDC, promote to PDC, and upgrade to Win2K to resolve the
domain problem, but I'm not sure how to handle the database app so I'd
rather not go this route.

According to the client, the NT4 box is still needed for now, it's
running resources that cannot be moved to the Win2K box. If the NT box
could be eliminated, I could disjoin all the workstations from the NT
domain, and re-join to the 2K domain and run all resources on the 2K
box. Unfortunately, this isn't possible according to the client.

So I'm stuck between a rock and a hard place. Anyone have any
suggestions?

First step would likely be eliminating the AD setup entirely. Go back
to the NT domain, then approach the migration properly. You can't
"demote" an NT PDC to a member server, so you're stuck there. You
can't rename a domain on W2K as you can in Server 2003, so you're
stuck there.

And I think you already knew this, but hate having to explain it to
your client.

Jeff