Migration Woes -the system cannot log you on now because the domain <domain>is not available

J

jrm73

Thanks for reading. I have an issue and not sure the root cause. I am
in the middle of a migration from NT4 to Win 2003 AD. In order to run
AD migration Tool I need to logon to my 2K3 server with an account the
has admin rights on each PC. All PC's are still in NT domain so I am
using NT admin account. This worked fine in the past but I have since
enabled and configured some group policies to allow local LAN admins to
logon to AD DC's at already migrated locations. Specifically I added
their groups to 'Allow log on Locally' and 'Allow logon thru
terminal services' in Default Domain Controllers Policy. When I
tried to logon onto the AD server with NT admin account I initially got
the error saying I couldn't be logged on because the account did not
have 'Allow logon thru terminal' user right. I since added the NT
admin account to the Remote Desktop users group as well as gave this
account 'Allow log on Locally' and 'Allow logon thru terminal
services' in Default Domain Controllers Policy. After doing that I
now get error "the system cannot log you on now because the domain
<domain>is not available." So now I've got a networking issue? My
AD DC can't find the NT 4 DC, right?

I did the following. Added NT4 DC to lmhost on WIN2K3 DC with hex 1b
entries. Can ping by name etc but not sure what else to do. This
worked in the past when the Default DC Policies were NOT configured.

Any ideas? Thanks for any help-
 
K

Kurt

Those policies (allow interactive logon, allow logon thru terminal services,
etc) are not to be taken lightly. The net result of enabling the "allow
interactive logon" without specifying any users is to lock everyone out,
including admins. To reverse these policies you need to find out what the
defaults are and re-apply the policy with the defaults (simply disabling the
policies does not undo them). The right thing to do is to add the NT4 admin
or NT4 groups to the AD domain admins group (and make sure the AD account is
also an NT4 admin). Domain admins have the necessary rights to do most
anything required for migration.

....kurt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top