Two PDC emulators in the same AD domain?

[Guest]

I've got three NT4 domains (Domain1, Domain2, Domain3) linked by trusts,
and I want to merge them into a single AD domain.

I've already set up the AD domain called "everything.com" by upgrading
"Domain1"'s PDC and getting a 2000 server to emulate the NT PDC to talk to
legacy systems.

Now I want to add computers in Domain2 into "everything.com" but I still
need the NT4 machine to think there's still a Domain2 NT4 Domain...

Essentially I need to know of it's possible to have two PDC emulators in
the same AD domain emulating two different NT domains.

Thanks for your help,

Adam

 

[Laura A. Robinson]

circa 01 Nov 2003 02:33:26 GMT, in
microsoft.public.win2000.active_directory, Left-blank-to-stop-spam
([email protected]) said,

Essentially I need to know of it's possible to have two PDC emulators in
the same AD domain emulating two different NT domains.

No.

Laura

 

[Ace Fekay [MVP]]

I've got three NT4 domains (Domain1, Domain2, Domain3) linked by trusts,
and I want to merge them into a single AD domain.

I've already set up the AD domain called "everything.com" by upgrading
"Domain1"'s PDC and getting a 2000 server to emulate the NT PDC to talk to
legacy systems.

Now I want to add computers in Domain2 into "everything.com" but I still
need the NT4 machine to think there's still a Domain2 NT4 Domain...

Essentially I need to know of it's possible to have two PDC emulators in
the same AD domain emulating two different NT domains.

Thanks for your help,

Adam

In addition to Laura's response to your question, have you tried using ADMT?
This will do all this for you. You can leave the old domains up after the
migration and selecting to use the SIDHistory feature will allow access to
the old domain's resources.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Laura A. Robinson]

circa Sun, 2 Nov 2003 16:06:57 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

In addition to Laura's response to your question, have you tried using ADMT?
This will do all this for you. You can leave the old domains up after the
migration and selecting to use the SIDHistory feature will allow access to
the old domain's resources.

What, "no" wasn't enough? ;-)

Laura

 

[Ace Fekay [MVP]]

circa Sun, 2 Nov 2003 16:06:57 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,
What, "no" wasn't enough? ;-)

It was enough.

I usually tend to over elaborate in some cases. Sorry.

Ace

 

[Laura A. Robinson]

circa Sun, 2 Nov 2003 22:39:40 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

It was enough.

I usually tend to over elaborate in some cases. Sorry.

No, silly, your answer was much better, methinks.

Laura

 

[Ace Fekay [MVP]]

circa Sun, 2 Nov 2003 22:39:40 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,
No, silly, your answer was much better, methinks.

Just trying to help!
;-)

Ace

 

[Guest]

Thanks for your help folks... I think I'll just migrate the other NT
domains into AD Domains using the "upgrade the PDC" method and tell it to
create a new Domain in the Forest.. now that's possible isn't it?

Adam

 

[Ace Fekay [MVP]]

In

Thanks for your help folks... I think I'll just migrate the other NT
domains into AD Domains using the "upgrade the PDC" method and tell
it to create a new Domain in the Forest.. now that's possible isn't
it?

Adam

Sure. For what you want to do, choose your biggest domain and migrate that
first with ADMT into a new domain in a new tree in a new forest. Then you
can migrate the remaining NT4 domain accounts (users groups and computers -
which also translates user profiles too) into this new domain that you just
created in the first step. This way you're consolidating them into the one
domain. Suggest to put them in their own OU (we call "collapsing them into
an OU) in the new domain and sort them out later.

Here, read up on it:
Domain Migration Cookbook - Chapter 10 Consolidation of Windows NT 4.0
Resource Domains:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookch10.asp



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Sure. For what you want to do, choose your biggest domain and migrate

that first with ADMT into a new domain in a new tree in a new forest.
Then you can migrate the remaining NT4 domain accounts (users groups
and computers - which also translates user profiles too) into this new
domain that you just created in the first step. This way you're
consolidating them into the one domain. Suggest to put them in their
own OU (we call "collapsing them into an OU) in the new domain and
sort them out later.

Here, read up on it:
Domain Migration Cookbook - Chapter 10 Consolidation of Windows NT 4.0
Resource Domains:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/co o
kbook/cookch10.asp

Thanks, that link is very userful/scary
Now for the kicker... I've upgraded one of the NT domains to AD (and
therefore created a complete new AD, but I did it on a small NT domain
called EMEA. Now people in EMEA will still see EMEA in the drop down box
on logon and will be happy, but if I bring the other NT Domain users
over using ADMT into that AD Domain their NT Domain (ASIAPAC) will
disappear and they're going to be confused as how to log on.

I'm reluctant to do do this for "political" reasons... in fact now I
think of it I can remember my trainer (3 years ago I hasten to add)
saying that prety much the only reason for having multiple AD Domains
was for political reasons.. I take it this is what he was talking about!

So, thnking it through, it would probably be best if killed off the EMEA
AD (I assume it's just a case of setting the EMEA PDC to an NT Server
and running DCPROMO to demote each AD DC), then I created a brand new AD
with a geographically non-specific NT domain name, set up a whole load
of trusts, then used ADMT to merge everyone over onto that AD, merging
it all into a single domain.

Does this sound like a good plan of action?

Also, as a final question, my DNS server external as well as the AD
scope... As DNS now contains pretty much all our network topology in it
is this recommended practice or should I get a DNS server which only
serves inside?

Thanks,

Adam

 

[Enkidu]

Inline....

Thanks, that link is very userful/scary
Now for the kicker... I've upgraded one of the NT domains to AD (and
therefore created a complete new AD, but I did it on a small NT domain
called EMEA. Now people in EMEA will still see EMEA in the drop down box
on logon and will be happy, but if I bring the other NT Domain users
over using ADMT into that AD Domain their NT Domain (ASIAPAC) will
disappear and they're going to be confused as how to log on.

I'm reluctant to do do this for "political" reasons... in fact now I
think of it I can remember my trainer (3 years ago I hasten to add)
saying that prety much the only reason for having multiple AD Domains
was for political reasons.. I take it this is what he was talking about!

So, thnking it through, it would probably be best if killed off the EMEA
AD (I assume it's just a case of setting the EMEA PDC to an NT Server
and running DCPROMO to demote each AD DC), then I created a brand new AD
with a geographically non-specific NT domain name, set up a whole load
of trusts, then used ADMT to merge everyone over onto that AD, merging
it all into a single domain.

Does this sound like a good plan of action?

You don't **need** to blow away the EMEA domain. You can create
another tree for ASIAPAC. but you will have to remember that EMEA is
the root Domain of the forest.

Also, as a final question, my DNS server external as well as the AD
scope... As DNS now contains pretty much all our network topology in it
is this recommended practice or should I get a DNS server which only
serves inside?

Use an internal DNS. Basically, there's no other way to do it that
doesn't involve a lot of grief, holes in firewalls and giving away
control of your AD's DNS.

Cheers,

Cliff

 

[Ace Fekay [MVP]]

Just to add to Enikdu's response inline...

In

Thanks, that link is very userful/scary
Now for the kicker... I've upgraded one of the NT domains to AD (and
therefore created a complete new AD, but I did it on a small NT domain
called EMEA. Now people in EMEA will still see EMEA in the drop down
box on logon and will be happy, but if I bring the other NT Domain
users over using ADMT into that AD Domain their NT Domain (ASIAPAC)
will disappear and they're going to be confused as how to log on.

Well, if you use ADMT and migrate the computer accounts over too, they will
see mutiple domains, including ASIAPAC and EMEA. Jsut instruct them to use
the correct one. Once the old domains are removed and the trusts broken,
those other domains will disappear.

I'm reluctant to do do this for "political" reasons... in fact now I
think of it I can remember my trainer (3 years ago I hasten to add)
saying that prety much the only reason for having multiple AD Domains
was for political reasons.. I take it this is what he was talking
about!

Not necessarily. It could be political for "control".
Deciding to have mutliple domains are usually based on:
Administrative Control
or
Different Security Requirements (password, etc), since this is set at the
domain level GPO
or
Replication over ASYNC lines.

Domains are a logical boundary and a security boundary, not a physical
boundary. But unfortunately yes, politics do have a factor in IT.

But keep in mind, even if having mutliple domains, it still doesn;t stop
other Domain Admins from the ability to alter forest data.

So, thnking it through, it would probably be best if killed off the
EMEA AD (I assume it's just a case of setting the EMEA PDC to an NT
Server and running DCPROMO to demote each AD DC), then I created a
brand new AD with a geographically non-specific NT domain name, set
up a whole load of trusts, then used ADMT to merge everyone over onto
that AD, merging it all into a single domain.

Does this sound like a good plan of action?

Don't kill EMEA. Migrate the remaining domains into the EMEA domain to give
you one domain. The other domains will co-exist until you're ready to dump
them. Use the SIDHistory option to allow access to the old domains until
ready to remove them.

Also, as a final question, my DNS server external as well as the AD
scope... As DNS now contains pretty much all our network topology in
it is this recommended practice or should I get a DNS server which
only serves inside?

Enikdu got this one for you. NO externals in any AD environment.

Read this for more info on AD and DNS:
http://support.microsoft.com/?id=291382

Thanks,

Adam

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory