Migrating NT 4 Accounts to Win2k Server

[Guest]

(also posted in win2K AD)
We current have an NT 4 PDC used for network logons (about 60 users) and a
few older apps (it is the only NT 4 box - no BDCs). We realize this
situation is not good and want to migrate as much as possible to an existing
win2k domain used primarily for email. We need to maintain the desktop
profiles and migrate any other system and computer accounts needed. The
win2k (mixed mode) domain already has the same users and computers in AD.
We have kept the user account information and passwords the same in both
domains. We have been advised to look at ADMT. It looks like a possible
tool to use, however, we discovered we have to go to native mode on the win2k
domain to run any trial migration tests - which we plan to do.

My questions are:
1. How do we get the user accounts to the AD (since they already exist)
and effectively "add" the NT profile/security info. to their win2k
information without causing issues with their current win2k accounts/email
(exchange 2000 - going to 2003) ?
2. Which of the NT4 system accounts, if any, will we need to migrate?
3. Do we need to migrate any computer accounts from the NT4 box since the
computers already exist in the win2k AD?
4. Users will still need access to the NT4 box for some of the older apps.
The firm has been reluctant to upgrade to newer versions for cost reasons.
Will going to native mode in the win2k domain have any impact on the NT to
win2k domains trusts currently in place (i.e. they won't work)? I have
tried to find information on what going to native mode actually means (other
then you can't have nt4 systems in the domain). How much risk is there
(since you can't go back)?

Thanks for your help and guidance - your suggestions or pointers to
resources would be much appreciated. This is a small firm with no spare
systems to experiment on, so we need to find a good process for making this
happen.

 

[j9]

Standard MCSE question. If I remember right, the process goes somehting
like this:

0) back up everything
0a) plan your new tree design
1) upgrade BDCs to win2k BDC emulators
2) upgrade PDC wo win2k PDC emulator
3) upgrade domain to mixed-mode AD (there is a wizard that does all this for
you)
4) upgrade member servers to Win2k and add to AD
5) upgrade AD to native mode

My question is: why would you want/need to do this if the current system
works?

 

[Guest]

Hi,

Thanks but I need some help following your response with respect to the
issue we believe is at hand. To clarify,

- We don't want to upgrade the NT4 PDC to win2k. The goal is to
decommission it after we move the account information and resolve issues with
old software (that does not run on win2k, per the vendor). It's got *no*
disk space and the firm does not want to put money into it since it's going
on 5+ yrs old.
- We now have 2 seperate domains, (1) win2k for email with AD and 2 DCs
(mixed mode) and (2) a single NT 4 PDC (NO BDCs).
- Yes, it works, but if the NT PDC dies, no one can logon to the network
with their current profiles. So we want to reduce the impact of the PDC
dying by moving everything off of it that we can and advising the management
(again) of the remaining business risk from not upgrading some really old
apps.

We understood we needed to move the account profiles somehow to the win2k
domain to mitigate the network logon issues. If there's another way, we're
happy to investigate other alternatives and appreciate any pointers you can
give us.

Diane

 

[j9]

Well, if your primary goal is to keep hell from breaking loose in the event
that the PDC dies, your first action is to build yourself a set of BDCs.
You are running an extremem business risk by not having at least 1 backup
method of authenticating users while you rebuild the server from backups (in
the event of hard failure).

From there, you can upgrade the BDCs to win2k. That takes care of all the
profile and login info being replicated and migrated all in one shot.

From there, promote one of the new BDCs to be the PDC of the domain, shut
down the old PDC, then upgrade the whole network to AD so this P/B stuff
doesn't matter.

Finally, set up your trusts between domains.

I'm sure that there are whitepapers at the MS web site that cover your exact
issue. This kind of this is also fairly common in the NG if you care to
look through the archives...