No announcement yet.

Migrate Users/Groups from NT4 to 2003

  • Filter
  • Time
  • Show
Clear All
new posts

  • Migrate Users/Groups from NT4 to 2003

    OK, I'm starting a new thread for this since it's really no longer along the same lines as my original post. Lets recap:

    1) 2 Domains, one NT4 (PDC only), one 2003 (2 DCs, one running Exch2003/SBS2003).

    2) Trust relationship between both domains

    3) I'd like to migrate users/groups from NT4 domain to 2003 domain. It looks like this could solve some of the issues I've been having in AD under 2003

    Should I upgrade the NT4 DC to 2000 and then attempt the migration? Seems like that might be a more "compatible" way to do it. Ultimately, the domain currently running NT4 can be phased out as there's really no use for it. In other words, upgrading the NT4 machine might be an extra step unless going from 2000 to 2003 is easier than the NT4 to 2003 migration. Can anyone comment on this?

    Proven e-Commerce Solutions
    340 N. 12th St.
    Suite 200
    Philadelphia PA 19107

  • #2
    > Should I upgrade the NT4 DC to 2000 and then attempt the migration

    No need at all. Take ADMT V2 from the W2003, and do the migration including SIDHISTORY.


    • #3
      Ah the problems still abound...

      I just noticed today that, on Friday, I received event ID 5722 on my SBS/exchange server. So I followed the instructions in KB 810977 (even though I'm on win2k3 and the KB doesn't specifically state it applies to this version of windows).

      At step 22, the date and time do NOT match. The error was logged 4/9/2005 5:29:11 PM. The time reported by nltest is 4/5/11689 3:28:40.

      Next I ran:
      nltest /server:<servername> /sc_query:<domain>
      and i get:
      Flags: 30 HAS_IP HAS_TIMESERV
      Trusted DC names \\FQDN.local
      Trusted DC Connections Status Status = 0 0x0 NERR_Success
      The command completed successfully

      FQDN.local is the name of the machine from which I ran nltest (it is the PDC and the machine I was running nltest against is my other 2k3 DC).

      Other unusual behaviors... I'm unable to join new workstations to the domain. I setup a machine the other day and attempted to join it over the weekend. I get an error as if it can't find the domain. I ran dcdiag on the DC that caused event 5722 (not the DC that logged it mind you) and I get the following failure (everything else passes):

      Starting test: NetLogons
      * Warning BUILTIN\Administrators did not have the "Access this computer from network" right.

      [INTERNAL-DC] An net use or LsaPolicy operation failed with error 1, Incorrect function...........................

      INTERNAL-DC failed test NetLogons

      I think the 5722 was logged when I ran dcdiag and got that error. Netdiag passes everything.

      I just re-ran netdiag and did NOT receive the netlogons error from the other day.

      the only thing I did this morning was disable the "Domain member: Digitally encrypt or sign secure channel data (always)" GPO.

      I've also got failure audit in the security log on my PDC for oldNTdomain$$$ from last week. I was attempting to get the old domain completely migrated to 2k3. The NT DC is still online as I'm concerned it didn't migrate properly.

      Sorry, I know it's alot for one post. Any insights? Was there something special I had to do to migrate the SIDHISTORY that you mentioned earlier? I tried using the sidhist.vbs that comes with the XP SP2 support tools but I think I'm not getting the syntaxt right. The destination domain needs to be the FQDN... is that right? Argh, what a way to start the week.

      Proven e-Commerce Solutions
      340 N. 12th St.
      Suite 200
      Philadelphia PA 19107


      • #4
        The easiest way to migrate sidhistory is to do it at the same time as the user account migration.

        There are some steps you need to take before doing this (e.g)

        1) Win 2K3 needs to be in native Mode
        2) You need SP4 or greater installed on NT Domain PDC

        And I think you may need to enable auditing and TcpipClientSupport.

        Actually just see Daniel's useage doc migration_tool_usage_nt_w2k.htm
        * Shamelessly mentioning "Don't forget to add reputation!"


        • #5
          Maybe I'm just imaptient. It looks like, with no intervention from me, some of my problems have been fixed. AD synchronization perhaps?

          I can create users and log them onto the domain without having to add them to the Domain Admins group. No clue when this started working but it just does.

          I run dcdiag on both DCs and everything passes.

          I still can't seem to join workstations to the domain. I wrote down the error I'm getting and it's a doozy. I'm gonna go out on a limb and say that it's DNS related...

          The domain name myDomain might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS

          If you are certain that the name is not a NetBIOS name, then the following information can help you troubleshoot your DNS configuration.

          An error occurred when DNS was queried for the servicelocation (SRV) resource record used to locate a domain controller for the domain myDomain.

          The error was: "No DNS server configured for local system."
          (error code 0x0000267C DNS_ERROR_NO_DNS_SERVERS)
          The query was for the SRV record for _ldap._tcp.dc._msdcs.myDomain

          I am using a NetBIOS name to try to join the domain. I've also tried using the FQDN but I get the same error.

          At first I thought WINS was out of sync. My BDC used to be the PDC and the current PDC wasn't completely up to date. Replicated WINS and still no go. DNS appears to be working fine for existing workstations. There's a DNS server running BIND with an external IP that then relays to my internal domain controller. The domain controllers then replicate DNS info with each other. Nothing has changed on the outside. I'm stumped.

          I realize this a little off topic from the original post. maybe it should be moved.

          Proven e-Commerce Solutions
          340 N. 12th St.
          Suite 200
          Philadelphia PA 19107


          • #6
            Before wasting any time on this...

            I guess with all the craziness I missed the obvious. After doing fresh installs of both these machines, I didn't realize the driver for the NIC isn't installed. I just saw link light and thought "OK we're good". Boy do I feel stupid.

            Proven e-Commerce Solutions
            340 N. 12th St.
            Suite 200
            Philadelphia PA 19107