Indecision about upgrade

[Vitalis]

I am paralyzing myself with indecision about the best
upgrade path. Any comments and advice on my options and
best path would be most welcome. I am struggling which
way to upgrade and how to integrate with existing DNS.

Environment
- 1 NT 4 PDC and 1 NT 4 BDC (SP6a on both), neither
provide anthing other than the PDC/BDC functions
- 20+ Win2k member servers of NT domain (SP4 on all)
- Domain name = COMPANY_NT
- DHCP provided by NetWare 6 server to workstations
- All servers use manually assigned IP's, do not use DHCP
- DNS entries for servers at this time are mostly manual
- DNS provided by NetWare 6 server and Win2k server
- Workstations are Win2k
- Servers are all centralized
- 900 user organization but < 100 need to access to Win
servers
- DNS name is company.com

Problems
- want to eliminate NT 4 servers due to old hardware and
outdated OS
- want to implement AD
- want to get rid of WINS
- want to keep the company.com domain name as the top of
the tree, as well have any server in the domain being at
the root ie. server1.company.com
- want to eliminate the ORG_NT domain name with underscore
which is not supported by DNS (this is my understanding)
- want to retain existing DNS structure where NetWare DNS
provides DHCP and DNS info for workstations. Windows DNS
will be used only for Windows servers. Some forwarding
would be setup to pass requests on to each other
- unsure if really need DNS is AD or not

Thx
Vity

 

[Scott Harding - MS MVP]

Ok, Acitve Directory requires that all internal Windows 2000 Pro machine and
up use the Internal DNS server for name resolution and logging into the
domain. You MUST use DNS on a Windows 2000 for Active directory to function
correctly. You could use you other DNS server but that will have to be some
sort of secondary DNS settings for your clients or you could do Zone
transfers between the two DNS servers. In order to rename your domain you
will have to do that in NT before ungrading to Windows 2000. If you upgrade
to Win2k3 you can do this but there are limitations and things to consider
for that. I would also suggest using DHCP from Windows instead of Novell in
order to populate Win2k DNS with all your client settings. This(DNS)
actually is what will enable you to make WINS mostly go away. You may not be
able to completely remove WINS and some applications still rely on Netbios
names. DNS works so much better than WINS and should take care of most of
the typical WINS issues. You could also create a whole new domain and make
the domain name the way you want it and then use ADMT to migrate users etc
to this new domain. This is not an easy undetaking and really there is too
much for a newsgroup to help you for the most part. This is really something
that you should discuss with a local expereinced consultant in your neck of
the woods. Also with some things that you are saying really show the lack of
experience here, no offense meant, and doing something wrong during this
process can really shoot your self in the foot and could blow up your whole
migration. Here is some general info but you need to do some reading and
research and I really think a local consultant could at least help you with
getting a working plan that would include some sort of emergency backout
procedure. Even if you do the actual work a consultant can help build the
plan which is most important!

http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

 

[Danny Sanders]

- want to eliminate NT 4 servers due to old hardware and

outdated OS
- want to implement AD

On a new server install NT 4.0 on it as a BDC wile connected to your
existing network. Promote to PDC and upgrade to Win 2k and AD.

- want to get rid of WINS

Make sure you don't have any apps that rely on WINS or that you don't have
pre Win 2k client PCs.

- want to keep the company.com domain name as the top of
the tree, as well have any server in the domain being at
the root ie. server1.company.com
- want to eliminate the ORG_NT domain name with underscore
which is not supported by DNS (this is my understanding)

Suggest you rename the NT 4.0 domain before you start any of this.
See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;178009&Product=nts40

- want to retain existing DNS structure where NetWare DNS
provides DHCP and DNS info for workstations. Windows DNS
will be used only for Windows servers. Some forwarding
would be setup to pass requests on to each other
- unsure if really need DNS is AD or not

AD MUST use a DNS server set up for AD. AD requires a DNS server that
supports SRV records and while not mandatory it is suggested it also support
dynamic updates.

When a client logs on to the domain they search the DNS zone for SRV
records. In your planned setup, your Windows servers will register their SRV
records on the Win 2k DNS server. Your clients will be pointed to the
Netware server for DNS. The clients will not find the required SRV records.
It will take ages for them to log on, group policy will not work, and a ton
of other problems. I would suggest not forwarding to find SRV records,
longer log in time. I would suggest setting up Win 2k's DNS. Pointing ALL AD
clients to this AD DNS server ONLY (clients and servers). Configure your AD
DNS server to forward requests and list your Netware server as the
forwarder.

See:
How to: Configure DNS for Internet Access In Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

Setting Up the Domain Name System for Active Directory

http://support.microsoft.com/default.aspx?scid=kb;en-us;237675





hth

DDS W 2k MVP MCSE

 

[Vitalis]

- want to retain existing DNS structure where NetWare DNS
provides DHCP and DNS info for workstations. Windows DNS
will be used only for Windows servers. Some forwarding
would be setup to pass requests on to each other unsure if
really need DNS is AD or not

AD MUST use a DNS server set up for AD. AD requires a DNS
server that supports SRV records and while not mandatory
it is suggested it also support dynamic updates.

When a client logs on to the domain they search the DNS
zone for SRV records. In your planned setup, your Windows
servers will register their SRV records on the Win 2k DNS
server. Your clients will be pointed to the Netware server
for DNS. The clients will not find the required SRV
records. It will take ages for them to log on, group
policy will not work, and a ton of other problems. I would
suggest not forwarding to find SRV records, longer log in
time. I would suggest setting up Win 2k's DNS. Pointing
ALL AD clients to this AD DNS server ONLY (clients and
servers). Configure your AD DNS server to forward requests
and list your Netware server as the forwarder.
---
What SRV records won't they find? My clients login and
authenticate to eDirectory/NetWare at startup, not to
Windows. Windows applications run mainly as services or
use accounts within the application itself. NT accounts
exist for many apps to do their thing as well as for
FrontPage authentication for authoring in an internal
company web page. So users authenticate as necessary
after they have logged in.

 

[Vitalis]

Does it matter that my clients login and authenticate to
eDirectory/NetWare? They only authenticate/login to a
Windows domain or a Windows server as necessary.
Applications run mainly as services or use accounts within
the application itself. A lot of the existing NT accounts
are for FrontPage authentication for authoring in an
internal company web page. I would think DHCP staying on
NetWare side is ok. For DNS, can't I just use a Zone
Transfer from my primary (NetWare) DNS to my secondary
(Win) DNS?

-----Original Message-----
Ok, Acitve Directory requires that all internal Windows

2000 Pro machine and up use the Internal DNS server for
name resolution and logging into the domain. You MUST use
DNS on a Windows 2000 for Active directory to function

correctly. You could use you other DNS server but that

will have to be some sort of secondary DNS settings for
your clients or you could do Zone transfers between the
two DNS servers. In order to rename your domain you will
have to do that in NT before ungrading to Windows 2000. If
you upgrade to Win2k3 you can do this but there are
limitations and things to consider for that. I would also
suggest using DHCP from Windows instead of Novell in

order to populate Win2k DNS with all your client

settings. This(DNS)actually is what will enable you to
make WINS mostly go away. You may not be able to
completely remove WINS and some applications still rely on
Netbios names. DNS works so much better than WINS and
should take care of most of the typical WINS issues. You
could also create a whole new domain and make the domain
name the way you want it and then use ADMT to migrate
users etc to this new domain. This is not an easy
undetaking and really there is too much for a newsgroup to
help you for the most part. This is really something

that you should discuss with a local expereinced

consultant in your neck of the woods. Also with some
things that you are saying really show the lack of

experience here, no offense meant, and doing something

wrong during this process can really shoot your self in
the foot and could blow up your whole migration. Here is
some general info but you need to do some reading and

research and I really think a local consultant could at

least help you with getting a working plan that would
include some sort of emergency backout procedure. Even if
you do the actual work a consultant can help build the

 

[Scott Harding - MS MVP]

here we go...Your clients are members of the domain correct? Then they use
the SRV records to login to the Win2k Domain. If they cannot contact the DNS
server that hosts these SRV records your login to Win2k resources through
that domain are going to take forever just like Danny said. This is all part
of your not understanding the absolute NEED for DNS in a Active Directory
domain. You cannot get away from this. If you are so tied to your Netware
domain and users use it for most of their work why don't you get rid of the
NT/2000 domain altogether and just use Netware? Why make two domains?

 

[Danny Sanders]

I guess I miss-understood your post.

NT PDC/BDC functions are logins so I assumed you were logging into an NT 4.0
domain and you wanted to replace the PDC/BDC functions (log in) with Win 2k
AD servers.
I'm not even sure why you would need AD now.

DDS

 

[Vitalis]

My apologies if my message was murky.
I want to make sure the AD is properly in place to
accomodate any future applications that require or need
it. For instance, we have a Citrix farm which is setup in
its own AD domain. This is where we may have some growth
in accounts. These accounts we wish to use XML to sync
between AD and eDirectory, especially for passwords. The
tech in charge of it setup a zone transfer DNS between it
and our primary DNS.

 

[Vitalis]

I have very few client workstations that are members of
the domain. All use the NetWare client to login to
eDirectory, run their login scripts to access their
NetWare resources. I have Citrix clients which need
domain accounts to login. I have Frontpage users who need
to authenticate to the domain for authoring on an IIS web
site. As well, I have to prepare for applications that
may need AD to function. While it would be nice to have a
single directory service it is no more practical than
having a single OS. I understand I need DNS for the AD
domain, what I was struggling with was exactly how to
integrate it properly with our existing DNS.

-----Original Message-----
here we go...Your clients are members of the domain

correct? Then they use the SRV records to login to the
Win2k Domain. If they cannot contact the DNS server that
hosts these SRV records your login to Win2k resources
through that domain are going to take forever just like
Danny said. This is all part of your not understanding the
absolute NEED for DNS in a Active Directory domain. You
cannot get away from this. If you are so tied to your
Netware domain and users use it for most of their work why
don't you get rid of the NT/2000 domain altogether and
just use Netware? Why make two domains?