Migrating NT domain to AD

[Seeker]

Hello,

I'm beginning to plan the migration of an exiting NT domain to AD. This
isn't a "how do I do it" post, as I realize there are way too many
variables, rather I have a few high-level points/questions.

1. There are a mix of about 550 98/2k and XP workstations. We're working on
migrating to all XP but it likely won't be done before the domain migration.
Do the 98 machines need the AD client if we choose mixed-mode?
2. As part of the migration, I'd like to take the existing domain name and
change it to our fully qualified Internet domain name, such as company.com,
or maybe ad.company.com. This way it can share the same namespace. Can
this happen as part of the upgrade to either mixed or native mode, and will
the workstations have to be visited to be made aware of the new domain?
3. Are there any drawbacks to installing initially in native mode vs.
running in mixed mode first and then migrating to native mode once all the
BDCs are upgraded?

I've been combing through the Microsoft resources already. If there are
some good tips and tricks sites or other major gotchas to look out for, I'd
be appreciative. Thanks.

 

[Steven L Umbach]

I think you would be better off posting this over in the win2000.active_directory
newsgroup where there are a lot of people very knowledgeable in the area you seek
expertise but here are my comments .

1. The W98 machines do not have to have AD client to be in the new domain, though
there are some advantages such as site awareness, ability to search AD and the
ability to use ntlmv2. I understand there is a newer version of the AD client to iron
out some problems, but I think you have to contact MS for it. Just make sure that you
have wins in your new domain and that the AD domain controllers are also clients as
downlevel clients need wins still.

2. The domain name should not be a problem. In NT host name resolution is an
afterthought. It does not matter what mode you go to and you should not have to visit
each machine, unless you have manually configured tcp/ip, as the DHCP scope will take
care of this, just be sure to use scope option 15 for domain name. Make sure that
ONLY AD domain controllers are listed as preferred dns servers for your computers via
scope or static. Keep in mind that your computers will not be able to find internet
resources with your domain name unless you configure static records in your dns zone
as in a "split brains" dns configuration because as far as they are concerned your
internal dns zone is authoritative for them and any records not found for the domain
will result in failed dns lookup. You will also want to configure your DHCP server to
be a proxies for registering dynamic dns host records for the W98 clients since they
can not do that on their own.

3. The main advantages to mixed mode are the ability to use NT4.0 BDC's which could
lead to a quicker rollback/disaster recovery by being able to go back a NT4.0 PDC if
all goes bad. The downside is that I believe some of the better migration tools
require that the migration be to a native mode domain.

4. Be careful implementing any changes to Security Policy in your new domain since
you still have "downlevel" W98 computers, particularly in regards to ipsec polices
lan manager authentication level, digitally sign communications, and additional
restrictions for anonymous connections. There are a lot of security templates
available and the urge to upgrade security can disrupt your network. If you want to
make changes, document them well and consider not modifying the default domain GPO,
but creating a new one at the top of the list where changes will be made which will
make it easy to rollback to default if problems occur. See the KB link below about
how security setting incompatibilities can disrupt your network. Nediag and Dcdiag
are two indispensable tools for W2K and are located in the support/tools folder on
the install disk. Good luck. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

 

[Seeker]

...Good luck. --- Steve

Your post was very helpful. I'll follow up in the ng you suggested. Thanks
a lot!