NT4 PDC to Member Server in Other AD Domain

[Charlie]

Hi
The organization that I work for will be doing a Win2K
Active Directory upgrade/migration fairly soon. I am an
admin of a resource domain. All of the existing domains
will be collapsed down to one.
Here is my problem: Our PDC is also our main file and
print server and will continue to be when we are in an
Organizational Unit in the AD domain. Needless to say,
we have lots of data, ACL's and domain local groups on
it. For some reason, I thought that you could upgrade an
NT4 domain controller directly to a Win2K member server,
which probably would have solved the problem. Since I
can't do that, I'm wondering what my options might be.
Do any of the migration tools migrate NT4 DC's to member
servers of an AD domain? I'm guessing that the answer is
no. I could simply wipe out the OS partition after
promoting a BDC to PDC, do a clean install of W2K or W2K3
and join it to the existing NT4 domain as a member
server. I could then recreate the local groups on the
member server and use Group Copy to copy all of the local
groups from a DC. Since I have used the Printmig utility
to copy all of the printers from the PDC to a backup
print server, I could use it to copy them from the backup
print server back to the new member server.
Migrating the member server to the AD domain is well down
the road and someone else will be responible for that. I
just don't want them to show up one day and say "OK, time
to bring down your domain controllers."
Question #1: If I use the above method, what happens to
the ACL's on all of the data and printers? Will they see
the member server local groups as being the same as the
domain local groups that they originally were written
for? I have successfully used Robocopy to copy a
directory tree and its permissions from a domain
controller to a member server, but this is a little
different because the data is not being moved, the OS is
being replaced.
Question #2: Is there a better method?
Thanks

 

[Enkidu]

Hi
The organization that I work for will be doing a Win2K
Active Directory upgrade/migration fairly soon. I am an
admin of a resource domain. All of the existing domains
will be collapsed down to one.
Here is my problem: Our PDC is also our main file and
print server and will continue to be when we are in an
Organizational Unit in the AD domain. Needless to say,
we have lots of data, ACL's and domain local groups on
it. For some reason, I thought that you could upgrade an
NT4 domain controller directly to a Win2K member server,
which probably would have solved the problem. Since I
can't do that, I'm wondering what my options might be.
Do any of the migration tools migrate NT4 DC's to member
servers of an AD domain? I'm guessing that the answer is
no. I could simply wipe out the OS partition after
promoting a BDC to PDC, do a clean install of W2K or W2K3
and join it to the existing NT4 domain as a member
server. I could then recreate the local groups on the
member server and use Group Copy to copy all of the local
groups from a DC. Since I have used the Printmig utility
to copy all of the printers from the PDC to a backup
print server, I could use it to copy them from the backup
print server back to the new member server.
Migrating the member server to the AD domain is well down
the road and someone else will be responible for that. I
just don't want them to show up one day and say "OK, time
to bring down your domain controllers."
Question #1: If I use the above method, what happens to
the ACL's on all of the data and printers? Will they see
the member server local groups as being the same as the
domain local groups that they originally were written
for? I have successfully used Robocopy to copy a
directory tree and its permissions from a domain
controller to a member server, but this is a little
different because the data is not being moved, the OS is
being replaced.
Question #2: Is there a better method?
Thanks

You will lose all permissions on the data and printers. Basically,
wiping out the SAM database, which is what would happen if you do a
clean install of the new OS, will mean a *new* SAM database, hence all
the permissions will be lost. If you check the permissions on a
resource it will show numeric information (S-1-....) and not the
names.

I would expect that the planning of the move would involve deciding
what to do about your situation. I would have thought that it would
include consulting you. It would be doomed to failure if the central
IT were to just show up and shut down your Domain Controllers.

I would contact the central IT and ask them what their plans are with
regards to the existing Domains. They should have plans for this. If
not, they are not properly doing their job.

Cheers,

Cliff

{MVP - Directory Services}

 

[Charlie]

-----Original Message-----


You will lose all permissions on the data and printers. Basically,
wiping out the SAM database, which is what would happen if you do a
clean install of the new OS, will mean a *new* SAM database, hence all
the permissions will be lost. If you check the permissions on a
resource it will show numeric information (S-1-....) and not the
names.

I would expect that the planning of the move would involve deciding
what to do about your situation. I would have thought that it would
include consulting you. It would be doomed to failure if the central
IT were to just show up and shut down your Domain Controllers.

I would contact the central IT and ask them what their plans are with
regards to the existing Domains. They should have plans for this. If
not, they are not properly doing their job.

Cheers,

Cliff

{MVP - Directory Services}

.
Thanks for the quick reply. Keep in mind that the new

OS would be installed before migration. The new groups
on the member server would have the same names as the
groups that had been referenced in the ACL's on the DC.
Since it's still in the NT4 domain, the users SID's
should remain the same. That said, the groups themselves
would have different SID's than before. Is that what
causes the problem?

Central IT is consulting with us, but I have a feeling
that they haven't thought about this sort of thing. All
of the instructions that I have seen regarding AD
migrations refer to NT 4 DC's as though they never do
anything but be DC's. Therefore the only scenarios that
seem to be discussed are decommissioning them or
upgrading them to AD DC's. If someone can point me to
some documentation or a case study that covers this, I
would be grateful.