Steps For Upgrading From NT4

Discussion in 'Active Directory' started by Tom M, May 28, 2008.

  1. Tom M

    Tom M Guest

    I am trying to resolve a couple of questions about upgrading from a single
    NT4 domain to an single 2003 AD domain. I currently have an small single NT4
    domain with a PDC and a BDC. Neither of these are easily upgradable to 2003.
    I have a 2003 member server that was deployed last year and a new 2003 server
    sitting in a box yet to be deployed.

    My plan is to use a temporary NT4 server to upgrade to 2003 AD. I need to
    setup a new DHCP server as my current BDC is fulfilling that role. I also
    obviously need a DNS server. Both of my new servers are going to be domain
    controllers. So, this is my plan:

    1. Deploy the server in the box as a member server, install DHCP and DNS.
    2. Shut down my NT4 BDC and save it as a rollback server. This is currently
    my DHCP and WINS server.
    3. Upgrade my temporary server from NT4 to 2003 and upgrade the domain to
    interim 2003 AD.
    4. Promote the new member server to a domain controller.
    5. Promote the older 2003 member server to a domain controller.
    6. Shut down the temporary server.

    Is there information that would be on the temporary server that I would need
    to move to the new domain controller before shutting it down?
    Can I setup DNS on a 2003 member server and have that become the AD DNS
    server when I do the upgrade?
    Is there another way to do this that makes more sense?
     
    Tom M, May 28, 2008
    #1
    1. Advertisements

  2. Tom M

    Jorge Silva Guest

    Hi
    See answers inline
    Member server? You can do a NT4 DC install in the new box, them promote that
    new DC to a PDC and do the upgrade on top of that new DC.
    Remeber to NOT overlap the existing scopes. You also need the WINS to legacy
    clients.
    Sounds good, but make sure that the WINS db is replicated with the new
    server.
    Member server? Check Step 1.
    The upgrade must be done in the NT4 DC that is the PDC on the NT4 domain.
    Here is a copy/paste from a answer that I gave in a older post, I'm sure
    that has relevant information for you:
    Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
    http://technet2.microsoft.com/WindowsServer/en/Library/b170bdc5-ba55-...
    Migrating Windows NT Server 4.0 Domains to Windows Server 2003 Active
    Directory
    http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/nt4/...
    Active Directory Migration Tool v.2.0
    http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-584...
    Planning:
    - Failover.
    * Backup the Servers.
    * Take at least one BDC Offline (In case of UPGRADE FAILURE you always can
    promote it to a PDC). The only drawback to this method is that all changes
    that were made while the safe BDC was offline are lost. To minimize this
    loss, you could periodically turn the safe BDC on and off (when the domain
    is in a stable state) during the upgrade process, to update its safe copy of
    the directory.
    To convert the BDC to a PDC: Start -> Programs -> Administrative Tools ->
    Server Manager -> Select the BDC, then go to the Computer Menu -> choose
    Promote to primary Domain Controller.
    * Make sure that the Hardware and apps meets the requirements.
    * Make sure that all Apps installed are compatible with W2K3 and don't cause
    problems with the upgrade process or pos upgrade process.
    * Run from command prompt:
    Cdsource\I386\winnt32.exe /checkupgradeonly
    - Before Upgrade:
    * You can install a new computer (more powerful) make it a BDC, SYNCRONIZE
    and promote it to PDC and them perform the upgrade on the new PDC.
    * Windows 2000/XP always prefer Kerberos authentication, so if the newly
    upgraded NT4 to Windows 2003 goes down (Offline), the client machines won't
    be able to authenticate in the domain.
    * If this is the case, before upgrade the NT.4 PDC, make the necessary
    changes on the registry (NT4Emulator). If the NT4Emulator is configured on
    the newly PDC, and you want o upgrade the Existent BDCs, you also need to
    create a registry entry on the BDCs (NeutralizeNT4Emulator) before the
    upgrade.
    Check:
    Windows 2000-based clients connect only to the domain controller that was
    upgraded from Windows NT 4.0 in a mixed-mode domain
    http://support.microsoft.com/?kbid=284937
    How to prevent overloading on the first domain controller during domain
    upgrade
    http://support.microsoft.com/kb/298713/
    Once that all domain controllers are upgraded, remove the registry settings
    created in the previous steps.
    Note: This sometimes may not need: E.g - if all existent BDCs will be sun
    upgraded to Windows 2003.
    - Dns Planning:
    Prior to beginning the upgrade from Windows NT Server 4.0 to the Windows
    Server 2003 Active Directory service, ensure that you have designed a DNS
    and Active Directory namespace and have either configured DNS servers or are
    planning to have the Active Directory Installation Wizard automatically
    install the DNS service on the domain controller.
    Active Directory is integrated with DNS in the following ways:
    Active Directory and DNS have the same hierarchical structure. Although
    separate and implemented differently for different purposes, an
    organization's namespace for DNS and Active Directory have an identical
    structure. For example, microsoft.com is both a DNS domain and an Active
    Directory domain.
    DNS zones can be stored in Active Directory. If you are using the Windows
    Server DNS service, primary zone files can be stored in Active Directory for
    replication to other Active Directory domain controllers.
    Active Directory uses DNS as a locator service, resolving Active Directory
    domain, site, and service names to an IP address. To log on to an Active
    Directory domain, an Active Directory client queries its configured DNS
    server for the IP address of the Lightweight Directory Access Protocol
    (LDAP) service running on a domain controller for a specified domain.
    While Active Directory is integrated with DNS and they share the same
    namespace structure, it is important to distinguish the basic difference
    between them:
    DNS is a name resolution service. DNS clients send DNS name queries to their
    configured DNS server. The DNS server receives the name query and either
    resolves the name query through locally stored files or consults another DNS
    server for resolution. DNS does not require Active Directory to function.
    Active Directory is a directory service. Active Directory provides an
    information repository and services to make information available to users
    and applications. Active Directory clients send queries to Active Directory
    servers using LDAP. In order to locate an Active Directory server, an Active
    Directory client queries DNS. Active Directory requires DNS to function.
    If use BIND DNS servers Make sure that you have BIND 8.1.2
    - Supports: Srv records, Dynamic Updates, Doesn't Support Secure
    Dynamic Updates (this is one disadvantage over the MS Dns server Servers,
    and represents security issues).
    - Create Primary Zone
    If Use 2003 DNS
    * Create Primary Zone
    * You can use an pre existent Dns or you can create it during the upgrade
    process.
    * Convert to AD-Integrated.
    * NetDiag /fix (This is an extra measure, to register the necessary dns
    records).
    Check:
    Troubleshooting DNS
    http://technet2.microsoft.com/WindowsServer/en/Library/de2aa69d-1155-...
    How to Verify the Creation of SRV Records for a Domain Controller
    http://support.microsoft.com/?id=241515
    Verify DNS server responsiveness using the nslookup command
    http://technet2.microsoft.com/WindowsServer/en/Library/f8761f04-d665-...
    - The Upgrade.
    * Check if you're on the PDC -> Start -> Programs -> Administrative Tools ->
    Server Manager.
    Right click on Network Neighborhood -> check the name.
    Run from command prompt:
    Cdsource\I386\winnt32
    * The first server running Windows NT Server 4.0 that you must upgrade is
    the primary domain controller (PDC), then you upgrade all remaining BDCs. To
    check if you're on the PDC: Start -> Programs -> Administrative Tools ->
    Server Manager.
    Check:
    How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based
    Domain Controller
    http://support.microsoft.com/?id=326209
    If you don't have windows 2000 (Only NT4 and Windows 2003) in the domain
    choose the FFL (Forest Functional Level) Windows 2003 interim.
    * Make sure that your DCs Dns properties point to Right Dns server (usually
    the Dc is also a Dns server so it must point to itself).
    * Once you have upgraded the Windows NT Server 4.0 and earlier PDC, you can
    proceed to upgrade all remaining BDCs.
    * Make sure that you have 1 GC per site (GCs are needed unless: you only
    have one domain, or the DFL is prior to Windows 2000 or Windows 2003).
    * Make sure that network clients point to the Network Dns server only
    (Usually the DC).
    * If everything is ok, then and if all DCs are already Windows 2003, now
    it's
    time to remove the registry entries (NT4Emulator, NeutralizeNT4Emulator),
    and make the DFL and FFL windows 2003.
    Verifying Active Directory Installation
    http://technet2.microsoft.com/WindowsServer/en/Library/3d157c1a-5c80-...


    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 28, 2008
    #2
    1. Advertisements

  3. Tom M

    Herb Martin Guest

    The PDC is the ONLY computer which can upgrade an NT domain.

    You have two basic choices for upgrade:

    1) Move/upgrade the NT PDC to better hardware

    2) Install an NT4 BDC on new(er) hardware that will support Windows
    Server
    Promote to PDC, then do the upgrade.

    There are NO OTHER choices (except combos of this).

    Also note, I have heard from people that their "NT4 cannot be upgraded"
    when this was actually possible. Pentium, 128 MB, some harddrive space,
    decent/updated BIOS, will usually do it -- and going to Win2000 first might
    make it a TAD easier.
    You must temporarily remove and install NT4 on one of them to use this
    method.

    The BDC can live in the Win2003 domain so you don't have to consider
    this part of the "same step".

    Separate the UPGRADE from all other issues that you can.
    I would not do that. The upgraded PDC can be the DNS (easier because it
    will ASK you) and the current BDC can remain DHCP until you get the
    domain under control.
    We used to recommend this but it is (practically) never needed nor useful,
    so if you have decent NT4 DC backups you can skipp it. If you don't have
    good backups it is time to start making those backups.
    That works. And it will offer to install DNS for you (correctly) as part of
    that.

    Let it.
    If it is a DC then it needs to first be DCPromo'd to non-DC.

    Why do this? Use one of the DCs that will remain if you can
    DCPromo needs to be run.

    And if it is your DNS then you need to arrange for that.

    You also need to arrange for the FSMO roles to move if you either
    don't run DCPromo OR you want to be sure (which I prefer.)

    What about WINS Server? Do you have more than one subnet?

    You still need WINS Server if so. (And ALL machines are WINS
    clients, especially DCs.)

    Yes. Dynamic Zone corresponding to the AD Domain name.
    There are ways that are more straight forward and easier but your
    way works.
     
    Herb Martin, May 28, 2008
    #3
  4. 1. Deploy the server in the box as a member server, install DHCP and DNS.
    Actually the NT 4.0 PDC is the only server on the NT domain that holds a
    writeable copy of the SAM. in order to carry that SAM into the AD domain the
    PDC of the NT 4.0 domain MUST be upgraded first. New SAM = new domain to the
    domain clients. There is a step in the promotion that asks if this is a
    server for an existing domain.....if you say "yes" you need to provide it
    with an AD domain controller, which you don't have, or the install will
    fail. If you say "no" it will create a new domain controller (new SAM) in a
    new domain. Existing servers and workstations will have to be removed from
    the old domain and added to the new domain.

    Suggest you install and configure DNS one of the Win 2k 3 server you are
    going to use as a DC. Then put together a "box" to add to the existing
    domain as an NT 4.0 member server and promote it to PDC (the existing PDC
    will be demoted to BDC) remove the existing PDC (now BDC) and store for
    rollback. Upgrade the new PDC (the "box put together for this) to AD while
    using the Win 2k3 server as the DNS server for NT server.

    Promote the Win 2k3 member server to DC that you used as the DNS server
    while pointing the server to itself for DNS. Run dcpromo to make it a DC
    Transfer the FSMO roles to the new AD DC (there is a doc on the MS site on
    doing this or the dcpromo down of the first DC should transfer them
    automatically), then remove it from the domain. You are left with a Win 2k3
    domain, with a Win 2k3 DC, a Win 2k3 member server and a NT 4.0 BDC.
    Point the Win 2k3 member server to the AD DNS server and promote to DC. Then
    remove the NT 4.0 BDC.

    hth
    DDS
     
    Danny Sanders, May 28, 2008
    #4
  5. Tom M

    Chris D Guest

    One thing to look out for is NT4 Policys (Or Group Policy) They are
    completely different to the ones in AD.
    If you want a nice clean AD after the upgrade make sure (If you have any)
    that they have all been set back to the standard. I missed a few and took me
    a while to get rid of them.

    May take you a few attempts to switch them all back to standard but well
    worth the effort
     
    Chris D, May 28, 2008
    #5
  6. Tom M

    Tom M Guest

    What do you mean by setting group policies back to the standard? do you mean
    the group policies that are installed with the domain?
     
    Tom M, May 29, 2008
    #6
  7. Tom M

    Herb Martin Guest

    I am good with this stuff (an AD MVP and a charter MCSE going
    back to NT 3.5) and I didn't understand what he was saying very
    well either.

    NT4 had System Policies and they had a tendency to "tattoo" the
    registry so maybe he wants to warn you about those. Removing
    them required actually writing a "negative" policy.

    Most Group Policies don't work that way (though a subset do.)

    Group Policy replaced System Policy in the change from NT4
    to AD.

    Very few people actually used System Policy however, and they
    would have tended to be among the early adopters of AD, and
    by now are likely all long since upgraded to at least Win2000.

     
    Herb Martin, May 29, 2008
    #7
  8. Jorge de Almeida Pinto [MVP - DS], Jun 1, 2008
    #8
  9. Tom M

    Chris D Guest

    Yep, wasn't very clear. Sorry.

    We reverted some policies from being ticked to unticked which infact just
    disabled the policy rather than allowing the policy to be back to being
    neither enabled or disabled.

    Sorry for not being clear
     
    Chris D, Jun 2, 2008
    #9
  10. This is excellent information. I am in the process of upgrading my 3rd NT
    4.0 domain in an existing W2k3 forest. It has been awhile since I did the
    first one which went well and with the last one I did I created a seperate
    forest which I don't want to do this time. I think this information will
    help.

    I read something that before you take your NT4.0 PDC and upgrade it you
    should change the domain in the TCP/IP properties to the AD FQ domain name.
    So if the existing NT 4.0 domain is abc and the new W2K3 domain will be
    abc.domainname.com, the domain under TCP/IP properties should be changed from
    abc to abc.domainname.com. Does this make a difference?
     
    Rachel L Chipman, Jun 3, 2009
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.