Announcement

Collapse
No announcement yet.

NT4 Migration...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NT4 Migration...

    First, sorry in advance for the length of this post - I wanted to give enough detail.

    I have an NT 4 sp6a domain that I'm trying to upgrade to Windows Server 2003.

    I currently have 8 NT 4 servers (1 PDC and 2 BDCs) and 2 Windows Server 2003 member servers in the domain. The domain is named ABC. We have a registered internet domain name, abcxyz.com.

    I have 3 brand new servers. I hope to integrate / replace these new servers as part of my migration.

    I first thought to follow the generally advised route for this upgrade - Install NT onto one of the new servers. Make it a BDC in the existing domain. Promote it to the PDC. Take it offline and upgrade it to Windows Server 2003. Bring it back online and so on.

    I tried it once but ended up having to revert back to my old domain. It seems to me that using this plan isn't such a great idea because there is no real way to properly do any testing of the Win 2K3 domain. With so many things to migrate (proxy server, web server, SQL server, Exchange Server, etc), it seems that everytime something new is migrated there's a high risk of failure.

    I decided to take my 3 new servers and use them to create a new AD domain. Once this has been tested I can then migrate applications and users, etc to the new domain.

    My questions are as follows:

    1. Does this seem like a reasonable idea or does the initial plan sound better?

    2. I'm a little confused about setting up the AD domain. I have installed Windows Server 2003 on 2 of my new servers. I made them part of a workgroup named WORKGROUP. The problem is (well, I don't know if it's a problem but I guess it's the root of my question), these 2 Win 2K3 servers are on the same cabling system as my existing NT domain. The new Win 2K3 servers (in the workgroup) can see, ping and access (with the proper credentials) the servers in the NT domain.

    Can I simply install AD onto one of the new servers and create an AD domain on the same cabling network as my exisiting NT domain or will I run into trouble if I install AD like this?

    3. I was thinking to name the AD domain abc.abcxyz.com (using what I said earlier about our current domain names). Does this seem right or would it be better name it something like abc.local?

    Sorry, the second question is hard to phrase properly, hopefully that was legible.

    Thanks in advance for your help!
    Bill

  • #2
    Re: NT4 Migration...

    I'm not the greatest at this but I'll give it a stab - I'm sure others will contribute / correct me if I am wrong:

    1. I would set-u 2 servers with AD, DNS and DHCP using dcprom. These two servers will be you Active Directory servers. PDC and BDC's doen strictly exist within a windows 2000 / 2003 environment. You can then place a 2-way trust between your new win2k3 domain and NT4 domain. You can then install ADMT (Active Directory Migration Tool) onto one of the win2k3 servers and migrate user account and computer accounds from your old NT4 domain to win2k3

    2. You can run your two network on the same cabeling system but not the same IP addresses

    3. If it's an internal domain then the correct name should abcxyz.local - If it's going to be internet facing such as a websever then best to use the FQDN

    It may not be usefull but it's a start

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: NT4 Migration...

      Originally posted by wgordon
      I currently have 8 NT 4 servers (1 PDC and 2 BDCs) and 2 Windows Server 2003 member servers in the domain. The domain is named ABC. We have a registered internet domain name, abcxyz.com.
      Some things you need to consider:
      - If you want to keep the same NETBIOS domain name, the simplest route (without using swing temp domain) is the in-place upgrade.
      - It is generally not a good idea to have AD configured with FQDN that will be used to access your company from outside as you will be facing so called "split brain DNS" - you will need to manage DNS records on two sets of DNS servers: internal and external.

      The common practice is to either use company.local notion for internal AD or to buy another domain name which will be used only internally (i.e.: company.net, while from outside you are company.com)
      Originally posted by wgordon
      I decided to take my 3 new servers and use them to create a new AD domain. Once this has been tested I can then migrate applications and users, etc to the new domain.

      My questions are as follows:

      1. Does this seem like a reasonable idea or does the initial plan sound better?
      As long as you do not have legacy applications which have dependency on the old NETBIOS domain name, this route will let you start from fresh and clean environment.
      f you have an option to start up with fresh and clean environment, use it. No need to drag NT4 legacy leftovers into the new environment.

      I would probably tackle this by installing a new AD, configuring it the way I want and later migrating the users/computers with ADMT (v2 can also migrate passwords)

      Originally posted by wgordon
      2. I'm a little confused about setting up the AD domain. I have installed Windows Server 2003 on 2 of my new servers. I made them part of a workgroup named WORKGROUP. The problem is (well, I don't know if it's a problem but I guess it's the root of my question), these 2 Win 2K3 servers are on the same cabling system as my existing NT domain. The new Win 2K3 servers (in the workgroup) can see, ping and access (with the proper credentials) the servers in the NT domain.

      Can I simply install AD onto one of the new servers and create an AD domain on the same cabling network as my existing NT domain or will I run into trouble if I install AD like this?
      Yes, as long as you are not creating a NEW domain with the same NETBIOS name - Netbios name collisions are not fun to troubleshoot.


      Originally posted by wgordon
      3. I was thinking to name the AD domain abc.abcxyz.com (using what I said earlier about our current domain names). Does this seem right or would it be better name it something like abc.local?
      If you are worried about user's SMTP addresses (is Exchange in the game ?) or user accounts names, this is not an issue, as you can have the domain called "abc.local" and still have the user accounts in the form "[email protected]" or "[email protected]". The same stands for Exchange.

      The only logical reason IMHO for AD having publicly accessible FQDN is when you have resources in the AD that will be exposed to the outside world. Otherwise, stick either to domain.local or buy a new domain name just for internal AD (and this domain will not be available from outside world for DNS queries)

      Hope I was clear enough
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: NT4 Migration...

        Wow, I never expected such a quick response! Thanks!

        It sounds like the best way to go then is to install a new AD domain on the 3 new servers and attempt a migration from there.

        By the way, if I set up a trust between my NT domain and the new AD domain will I then be able to use resources (like a SQL server) from within the other domain?

        In other words, I'll have a SQL server on the NT domain, can users on the AD domain access and use the SQL server from the NT domain? And vice-versa, as I migrate applications and files to the new AD domain will users logging into the NT domain be able to access them?

        I'm not particular about keeping the same domain name necessarily. Using abc.local seems like the way to go. By the way, it seems from the previous post that split-brain DNS is a bad thing - is that the case? If so, why? I've seen some references that seem to recommend it.

        As for DNS, as I mentioned we have a website (let's call it abcxyz.com), an intranet server and an Exchange 5.5 server. Our ISP is currently housing our external zone file. I have an internal DNS server on the NT domain for resolving local addresses. I'd like to let the ISP continue to maintain the zone file for our external resources (good idea or bad?). Am I correct to assume that in that case I'll just be creating a primary zone for my new abc.local domain with a forward lookup pointing toward the ISP's DNS servers?

        Thanks again for the great responses!

        Comment


        • #5
          Re: NT4 Migration...

          Originally posted by wgordon
          In other words, I'll have a SQL server on the NT domain, can users on the AD domain access and use the SQL server from the NT domain? And vice-versa, as I migrate applications and files to the new AD domain will users logging into the NT domain be able to access them?
          If you setup two-way trust, than yes, you will be access resources from any domain with account from any domain as long as the ACL is configured to allow accounts in question.

          Originally posted by wgordon
          I'm not particular about keeping the same domain name necessarily. Using abc.local seems like the way to go.
          Note that you have 2 names: AD's FQDN and AD's legacy NETBIOS name. I was referring to NETBIOS name and avoiding the collision of it with old NT domain (you would want to avoid having NT domain called ABC and having AD's NETBIOS name "ABC")

          Originally posted by wgordon
          By the way, it seems from the previous post that split-brain DNS is a bad thing - is that the case? If so, why? I've seen some references that seem to recommend it.
          Some people like it as from the user point of view it's very convenient: all the internal and external resources are in the same namespace.
          But this requires a lot of additional setup and maintenance.
          You will be maintaining 2 sets of DNS servers:
          - those responsible for abc.com for AD and can not be queried from outside
          - those responsible for abc.com and can be queried ONLY from outside.
          (exposing AD's DNS to outside is generally considered a bad thing (tm) )
          For each host that needs to be accessed from both sides, you will need to create a host record in both DNS groups.
          If you do not go the "split brain" route, you will only need to configure the host record only once.

          Originally posted by wgordon
          As for DNS, as I mentioned we have a website (let's call it abcxyz.com), an intranet server and an Exchange 5.5 server. Our ISP is currently housing our external zone file. I have an internal DNS server on the NT domain for resolving local addresses. I'd like to let the ISP continue to maintain the zone file for our external resources (good idea or bad?). Am I correct to assume that in that case I'll just be creating a primary zone for my new abc.local domain with a forward lookup pointing toward the ISP's DNS servers?
          Not exactly. The AD's DNS will be responsible for abc.local DNS zone, while the ISP will be authoritative for abcxyz.com (it's not a bad idea if the changes are rather static)

          Consider the following:
          No Split-brain
          AD namespace: abc.local (AD's DNS handles this zone)
          External website: www.abcxyz.com (record in ISP managed abcxyz.com zone)
          Internal webserver: www.abc.local (registered in internal DNS)

          In this case, all the internal resources are resolvable via internal DNS and www.abcxyz.com will be resolved via ISP's DNS servers.

          Split-brain
          - Both ISP *and* internal DNS are authoritative for abcxyz.com
          - Anyone from outside queries ISP's DNS servers for hosts in abcxyz.com zone.
          - Internal queries go to internal DNS.
          - ISP and AD host the same zone but are not aware of each other

          AD namespace: abcxyz.com
          Internal webserver: ww2.abcxyz.com (registered only in internal AD)
          External webserver: www.abcxyz.com (registered in BOTH ISP's and internal DNS)

          Internal clients point to internal DNS, which is authoritative for abcxyz.com, so in order for the DNS query for www.abcxyz.com (external webserver) to succeed, the internal DNS has to know about it.
          (this is the kind of maintenance overhead that I personally do not like )
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: NT4 Migration...

            I'll give it a try and hope for the best.

            Fortunately, as I mentioned, I'll be setting things up as a new network and I'll migrate my existing NT domain over gradually. This leaves me with a lot of room for experimentation (and mistakes).

            Thanks again for the great (and quick!) advice!

            Comment


            • #7
              Re: NT4 Migration...

              And what about If I would like to maintain the same netbios domain name without performing an in-place upgrade?

              I mean, I have the nt domain "migration", and in a new hardware i have installed win2003. Running dcpromo i have set the new domain as "migration.com", leaving the netbios domain as "migration" for compatibility reasons with win98 clients.
              However, it does not work, so I have shutdown the BDCs (the PDC was down from the start) and I did it succesfully.

              However, when I turned on the BDC, it did not synchronize the old users to the new 2k3 DC, and when I set a new computer account in the 2k3 DC as a domain controller, the users synchronized were those of the new DC, not the BDC existing ones.

              Any idea will be greatly appreciated

              Comment


              • #8
                Re: NT4 Migration...

                So... you had an existing NT4 domain, and run dcpromo on a fresh w2003 box to create a new domain of the same name? They are still different, as you saw. No automagic replication!

                > And what about If I would like to maintain the same netbios domain name without performing an in-place upgrade?

                That's only possible if the old and new domain never co-exist in the same network. Very impractical.

                What's wrong with the inplace upgrade? Especially for small networks it's a great solution. You can easily test it as well. Take a BDC offline and put it in a seperate network. Then, make it a PDC, and do the inplace upgrade.

                Comment

                Working...
                X