Migrating NT to Win 2000 AD single domain

[Guest]

I have a requirement to migrate my 8 seperate NT4 domains to a single Windows
2000 AD domain. I have a fresh forest root AD prepared.
I've been trying to work out the best method of getting all these domains to
join this new AD. Each NT server is also used as a file store server and some
contain masses of files with many layers of group permissions. These are
stored on different partitions to the OS (e.g. D: or E: drive). I don't want
to have to re-create these folder structures. This is my current plan (1 NT
domain at a time):

1. Migrate users and groups (including SIDHistory) from NT PDC to AD using
ADMT.
2. Format C: drive to remove NT OS of NT server.
3. Install a fresh installation of Win 2000 on the exisitng C: partition
(build as a member server of the new domain).
4. DCPROMO server to join the new AD domain.

Doing this at each domain should eventually lead to a single AD domain.
Can anyone see any problems using this plan?
I'm most concerned about migrating SIDHistorys and retaining the
permissions. Is anyone aware of any problems I could encounter doing this?
If there are any other, simpler methods of doing this, ideas would be much
appreciated.

Many thanks

 

[Ace Fekay [MVP]]

In

I have a requirement to migrate my 8 seperate NT4 domains to a single
Windows 2000 AD domain. I have a fresh forest root AD prepared.
I've been trying to work out the best method of getting all these
domains to join this new AD. Each NT server is also used as a file
store server and some contain masses of files with many layers of
group permissions. These are stored on different partitions to the OS
(e.g. D: or E: drive). I don't want to have to re-create these folder
structures. This is my current plan (1 NT domain at a time):

1. Migrate users and groups (including SIDHistory) from NT PDC to AD
using ADMT.
2. Format C: drive to remove NT OS of NT server.
3. Install a fresh installation of Win 2000 on the exisitng C:
partition (build as a member server of the new domain).
4. DCPROMO server to join the new AD domain.

Doing this at each domain should eventually lead to a single AD
domain.
Can anyone see any problems using this plan?
I'm most concerned about migrating SIDHistorys and retaining the
permissions. Is anyone aware of any problems I could encounter doing
this? If there are any other, simpler methods of doing this, ideas
would be much appreciated.

Many thanks

If you are migrating all to one domain, you can do exactly what you are
proposing, but as you said, I would first migrate the users with ADMT. As
for the file permissions, you will lose them with a reinstall since the SIDS
will be wiped out. You can possibl use permcopy.exe to copy the whole
structure from these machines to a current Windows 2000 server and
preserving the permissions. Here's more info:

How to Copy Files and Maintain NTFS and Share Permissions
http://support.microsoft.com/?id=174273

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

Many thanks Ace.
If I migrate the SIDHistory while I migrate Users & Groups with ADMT, will I
lose the file/folder permissions? (I thought the reason for migrating
SIDHistory was to retain these permissions).
I will check out permcopy if this is not the case.

 

[Ace Fekay [MVP]]

In

Many thanks Ace.
If I migrate the SIDHistory while I migrate Users & Groups with ADMT,
will I lose the file/folder permissions? (I thought the reason for
migrating SIDHistory was to retain these permissions).
I will check out permcopy if this is not the case.

Yes, it will retain the old SID, but that was designed to be able to access
resources in the source domain. I haven't tested what you are trying to do,
but as I understand your intentions, you're wiping out the source domain
completely and rebuilding the machines directly after the migration, then
that would be a non issue. You can try it and let me know. I'm not sure if
it will work. If you copy them over, and the old domain is wiped out, and
you go into the Security tab to view the ACL, you will see a bunch of
'unknown objects' instead of the user account names, since it cannot
enumerate what the SIDS are without the old domain.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

Thanks Ace.
For your info:
I've treid this out now. This is an overview of what I did:
1. Created folders on E: partition on NT server for NT users and groups.
2. Migrated users and groups (including SIDs) from NT domain to AD domain.
3. Installed Win 2K over the top Win NT C: partition (formatting C: in
process). Built this just as a workgroup server.
At this stage, I checked the folder permissions and as expected they were
shown as SID numbers.
4. Ran DCPROMO on this W2K workgroup server (add additonal DC to exisitng
domain) to join exisitng AD domain.
5. Checked permissions on folders on E: drive. These were back to normal,
showing correct users and groups.

 

[Ace Fekay [MVP]]

In

Thanks Ace.
For your info:
I've treid this out now. This is an overview of what I did:
1. Created folders on E: partition on NT server for NT users and
groups.
2. Migrated users and groups (including SIDs) from NT domain to AD
domain.
3. Installed Win 2K over the top Win NT C: partition (formatting C: in
process). Built this just as a workgroup server.
At this stage, I checked the folder permissions and as expected they
were shown as SID numbers.
4. Ran DCPROMO on this W2K workgroup server (add additonal DC to
exisitng domain) to join exisitng AD domain.
5. Checked permissions on folders on E: drive. These were back to
normal, showing correct users and groups.

Interesting test! Assumingly it works because of the SIDHistory. Thanks for
testing it!

There you have your answer!!



Ace