Migration Approach in NT4 to Win2K3 AD


Alan Tang


In my environment, their have 3 NT4 Domain Controller. (1 PDC with 2

Does the following steps is possible?
1.) Setup a new NT4 Domain Controller and join with Existing Domain
2.) Promote this NT4 Domain Controller to PDC, which demotes the PDC
to a BDC.
3.) Upgrade the new PDC to Windows Server 2003.
4.) Use the Windows Server 2003 Active Directory wizard to turn on
the Active Directory service. The Active Directory service imports the
existing user accounts, groups, and other settings from the PDC.
5.) Setup a new Win2K3 AD DC Server and join into existing AD.
6.) Transfer all Flexible Single-Master Operation (FSMO) roles to the
new Windows Server 2003 domain controller.
7.) Verify all directory information has replicated.
8.) Demote the first domain controller to a member server, and remove
from the domain.

For this case, is it possible to raise the domain level to "Windows
Server 2003 interim"?
Q1.) If other trusted domain that have Win2K DC, does it will have problem?
Q2.) If the domain level has been raise, does the "Forest Functional
Level" will auto raise to "Windows Server 2003 interim"?
Q3.) For this coexist with NT4 BDC & Win2K3 DC case, does all the member
need to change the DNS to AD's DNS?
Q4.) If I didn't change the DNS setting, is it possible the
authentication process will use the NT4 BDC?
Q5.) For the Fall back plan, does I just switch off all the Win2K3 DC
and promote on of the existing NT4 BDC to PDC only?

Thanks a lot!


First of all I strongly recommend Syncing one of you BDCs and taking it
offline before you in place upgrade the NT4 PDC.

Q1 & 2)You cannot raise the domain / forest functional levels until you get
rid of all your NT4 BDCs.

Q3)You will need a DNS server that supports SRV records, it does not
necessarily need to be AD integrated though. You do not need to point NT4
machines at the DNS... just 2000/XP/2003.

Q4) By default, 2000/XP clients will not use NT4 BDCs once they have
authenticated against 2000/2003 DC. However you can prevent this by using
the NT4Emulator key (http://support.microsoft.com/kb/298713/en-us) during
your update process. While using this key however you will not have all the
advantages of AD such as Group Policy unless you use the NT4Netralizer key on
your XP/2K clients.

Q5) yes, but because of my point above. If 2000/XP clients authenticate
against 2000/2003 DCs without the NT4Emulator key in place they will not go
back to using NT4 unless you disjoin and rejoin them to the domain.

Hope this helps.

Brian Delaney

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question