NT4 --> AD 2003 Domain Migration [SAM Clean-Up Phase]

Discussion in 'Server Migration' started by Antoine GOLIO, Sep 14, 2004.

  1. We are preparing an important domain Migration from NT4 Domain to a AD 2003
    Forest.

    ADMT is using SAM NT4 for Computer Migration Phase.

    I'am trying to inventory our real Computer objects by merging SAM's
    Informations (netdom query /d:Domain_Name SERVER) and Landesk Inventory
    Information.

    2000 objects in NT4 SAM ; 700 in Landesk !!!!

    I know that NT4 SAM contains a lot of obsolete objects and I know that our
    Landesk Inventory is not exhaustive.

    The only way to clean up obsolete SAM objects would be to query Secure
    Channel info beteween WKS and NT4 Domain , but a chararacteristic of our
    environement is that 50% of PC are laptops (mobile population).

    Is there a way to query the PDC for the secure channel age of each WKS of
    the domain (even if the WKS is not connected)?
     
    Antoine GOLIO, Sep 14, 2004
    #1
    1. Advertisements

  2. Hi Antoine,

    Thanks for your posting here.

    I think you can refer to the following document to remove the old computer
    accounts.

    HOWTO: How to Detect and Remove Inactive Machine Accounts
    http://support.microsoft.com/?id=197478

    The procedure uses batch files and resource kit utilities to create a list
    of machine accounts sorted by the last time the machine account's password
    was updated. The list then needs to be examined by an administrator to
    remove all machine accounts that are deemed active, leaving only the old
    machine accounts in the remaining list. The remaining list is then read by
    a batch file that systematically deletes the old machine accounts using
    Windows NT resource kit utilities.

    Wish it helps.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "Antoine GOLIO" <>
    Subject: NT4 --> AD 2003 Domain Migration [SAM Clean-Up Phase]
    Date: Tue, 14 Sep 2004 10:32:13 +0200
    Newsgroups: microsoft.public.windows.server.migration

    We are preparing an important domain Migration from NT4 Domain to a
    AD 2003
    Forest.

    ADMT is using SAM NT4 for Computer Migration Phase.

    I'am trying to inventory our real Computer objects by merging SAM's
    Informations (netdom query /d:Domain_Name SERVER) and Landesk
    Inventory
    Information.

    2000 objects in NT4 SAM ; 700 in Landesk !!!!

    I know that NT4 SAM contains a lot of obsolete objects and I know
    that our
    Landesk Inventory is not exhaustive.

    The only way to clean up obsolete SAM objects would be to query Secure
    Channel info beteween WKS and NT4 Domain , but a chararacteristic of
    our
    environement is that 50% of PC are laptops (mobile population).

    Is there a way to query the PDC for the secure channel age of each
    WKS of
    the domain (even if the WKS is not connected)?
     
    Bob Qin [MSFT], Sep 15, 2004
    #2
    1. Advertisements

  3. Thank you for the answer.
    Very interresting scripts but unfortunately, it doesn't work (very well).
    It retuns me "List complete : 0 machine accounts found" !!!?
    I think the problem is with the Oldms2.bat :
    it calls the following command :
    "nltest /server:%3 /user:%1$ | find "PasswordLastSet" > temp.txt"
    %1 is a computer name.

    I tried the following command from the NT4 PDC: nltest /server:pDC
    /user:WAGOLIO (where PDC is the name of the PDC and WAGOLIO is the name of
    a workstation in the domain).
    The result : " Cannot open SAM\SAM\Domains\Account\Users\Names\WAGOLIO
    Status = 2 0x2 ERROR_FILE_NOT_FOUND"

    If I try the command nltest /server:pDC /user:a.golio (where PDC is the
    name of the PDC and a.golio is the name of a user account in the domain), it
    works fine.

    Any idea?
    Current Environment :
    PDC = NT4 US SP6
    nltest : v4.0
    Automatic Machine Account Password Changes is enabled on the Domain NT4.


    Thank You


     
    Antoine GOLIO, Sep 15, 2004
    #3
  4. Hi Antoine,

    These BAT files work properly on my side.

    Please make sure that when you run "OLDMS.BAT DomainName" command, you use
    the right NT domain name to replace DomainName.

    In addition, as for the command in Oldms2.bat, you can try the following
    command.

    nltest /server:pDC /user:WAGOLIO$

    Here PDC is the name of the NT PDC.

    Good luck!

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "Antoine GOLIO" <>
    Subject: Re: NT4 --> AD 2003 Domain Migration [SAM Clean-Up Phase]
    Date: Wed, 15 Sep 2004 11:17:45 +0200
    Newsgroups: microsoft.public.windows.server.migration

    Thank you for the answer.
    Very interresting scripts but unfortunately, it doesn't work (very
    well).
    It retuns me "List complete : 0 machine accounts found" !!!?
    I think the problem is with the Oldms2.bat :
    it calls the following command :
    "nltest /server:%3 /user:%1$ | find "PasswordLastSet" > temp.txt"
    %1 is a computer name.

    I tried the following command from the NT4 PDC: nltest /server:pDC
    /user:WAGOLIO (where PDC is the name of the PDC and WAGOLIO is the
    name of
    a workstation in the domain).
    The result : " Cannot open SAM\SAM\Domains\Account\Users\Names\WAGOLIO
    Status = 2 0x2 ERROR_FILE_NOT_FOUND"

    If I try the command nltest /server:pDC /user:a.golio (where PDC is
    the
    name of the PDC and a.golio is the name of a user account in the
    domain), it
    works fine.

    Any idea?
    Current Environment :
    PDC = NT4 US SP6
    nltest : v4.0
    Automatic Machine Account Password Changes is enabled on the Domain
    NT4.


    Thank You


     
    Bob Qin [MSFT], Sep 15, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.