Wes - Kevin is exactly correct that an in-place upgrade will perfectly preserve any garbage that's in your existing domain, and many folks use the move to AD as a perfect opportunity to make a fresh start. However, if you're happy with your original domain and just need to get to AD, the in-place upgrade works very well, is transparent to your users, and does not require you to spend a bunch of cash on a migration tool (sorry, Kevin !).
As some other posters mentioned, the exact process depends on whether you're re-using the original server hardware or replacing it. If you're replacing hardware, you can add one of the new servers as a NT4 BDC, promote it to PDC, and upgrade that (the PDC must be the first server upgraded to W2K). Then install your second new server as a W2K member server and dcpromo. We don't like having 'upgraded' servers in our network, so we took the additional step of moving the FSMOs from the upgraded PDC to the other new DC and rebuilding the first DC from scratch. If you plan to keep any BDCs online, you'll need to stay in mixed mode and put a system in place to keep the netlogon shares in sync between a DC and the BDCs. Before the upgrade, we used NT4 system policies to lock down many of the desktops, and this worked for both NT4 and W2K clients. As soon as the W2K clients realize that AD is available, they ignore this and want to use GPO instead. You want to make sure you're ready for this, and have your GPOs ready to go. In any case, make sure to test the plan in the lab - make sure you know where you will install DNS, where to point the DNS resolver for each server at each step of the upgrade, etc. We temporarily installed an extra BDC in the production domain, then removed it and put it on an isolated lab network and promoted it to PDC so we had an identical test bed. We ghosted this so we could try the upgrade over and over til we had the plan down cold. Worked well for us (single domain, 30+ BDCs, thousands of clients). Didn't have to touch any of the clients except to test that they could still authenticate, pull policies/profiles, etc. (yes, they all worked). Dave -----Original Message----- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 8:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Wes, There are as many issues with an inplace upgrade as there are benefits. The option to create a pristine AD an move everything over allows you a lot of flexibility in cleaning up your old NT environment and making sure you don't migrate any junk that you should get rid of anyway. So with your original question, there are quite a few migration products out there that allow you to do everything you want to do while allowing for a secure and project oriented experience. The profile issue is an easy one for our (Aelita's) product to handle. The goal is no impact to the user and no touching of workstations. You want the profile re-ACLed and you want the system to recognize the new domain without a reboot, and you want all permissions to be reset to specify the new AD user and remove the legacy SID. The other products to evaluate would be Quest Software's migratory and NetIQs migratory to name the most obvious. There are many. Also, Ken pointed out the process to upgrade NT PDC to W2k and (in his words) Voila!... Know that the W2k machine is not a DC in an NT domain it is a DC in a new AD domain and it happens to have NT 4.0 BDCs... This is just a point of clarification because it sounded a bit confusing. Kevin -----Original Message----- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 5:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh The biggest issues will be getting the ADC (active directory connector) between Exchange 5.5 and E2K/AD up and running. A badly configured connection agreement in the ADC can wreck havoc but is other wise straight forward. IN our testing, a bad CA is the only issue we ran into. Other testing process went without a hitch. The upgrade from NT 4.0 to AD is fairly easy once you have your forest design worked out which is sounds like you do.... Personally, IMHO, _if_ your NT 4.0 domain(s) is/are clean, I much prefer an upgrade to a migration. Diane -----Original Message----- From: Tom.Gray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 1:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Wes -- I just completed an inplace upgrade. It wasn't too bad, but it had a couple of troublesome moments. Get the whitepaper from microsoft on upgrading exchange 5.5 to 2000, then get the rest of the docs from microsoft about potential problems. Some docs say you cannot be in mixed mode, others tell you how to upgrade and stay in mixed mode. (we stayed in mixed mode) During the inplace upgrade of our exchange server the install process failed (it hung in the middle of the mailbox upgrade) and after a call to PSS we had to go back to exchange 5.5 (then restore the IS from tape backup) and make some changes, then run the upgrade again. As of now we are running AD in mixed mode, exchange 2000. Single domain. Two domain controllers. No DHCP or WINS. We're having a couple of interesting issues that I haven't tracked down yet, but I'd say 95% is up and running. I can get you more information if you desire. Tom Gray, Network Engineer All Kinds of Minds & The Center for Development and Learning University of North Carolina at Chapel Hill Internet: [EMAIL PROTECTED] AT&T Net: (919)960-8888 -----Original Message----- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 4:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh I'm starting to like the sound of this. Anyone have any info for me to check out? Thanks. Wes -----Original Message----- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 4:09 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Yes -----Original Message----- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 3:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh I need to preserve all groups/users/mailboxes/mail/public folders for the whole domain, does an in-place upgrade accomplish that? Wes -----Original Message----- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NT to AD client migration headaches.. blargh Any reason why you can't do an in-place upgrade instead of migrating ? Dave -----Original Message----- From: Weston Rogers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] NT to AD client migration headaches.. blargh Hey guys. I've got a few questions and I hope someone can lead me in the right direction or give me a heads up on an idea that will help my situation. My situation is that we have 1 NT 4 domain (1 PDC, 1 BDC, 1 webserver) with 300 so clients scattered throughout 5 states. We are consolidating the 3 servers into 2 and just totally replaced all our network equip. I've tested the plan I created for our migration , but when clients log onto the new domain after being on the old one, the workstation (all win2k pro) sets up a new profile since it's a new domain, thus loosing all of their stuff .. 1 - is there any way to change this? I heard rumors about a profiler converter or something of that nature, I can't have 300 people call me at once in order for me to walk their clueless asses though email setup, etc. (lol) 2 - Or is it possible for AD to become a DC of a NT4 domain in mixed mode then after account migration remove the NT4 machines (I assume the netbios AD name could be the same as the current NT4 domain name and still have a required FQDN for AD) so clients still use the same netbios domain name for logon. I've done countless migrations , but none that fix this issue, I have NO other issues except with trying to make this as transparent as possible for the clients. I really appreciate your time, Thanks, Wes -- Wes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
