Discussion on:

The benefits of moving clients to an Active Directory environment

I have an existing NT PDC on a network with a new windows 2000 server. I want to take the old NT server off network and install active directory on 2000 server. Can I copy or move the existing Domain and users from the old NT server to 2000? Whatis the best way to do this? I am sure I will be doing this over and over again in the next year.

You have to upgrade the NT PDC server first to Win2000. You can not copy or move the existing domain and users from one server to another.

By the way, just incase the upgrade does not work, be sure to have an NT BDC on the network and do a Domain Synchronization between the NT PDC and BDC(s) before you start the NT PDC upgrade. That way, if the upgrade fails, you can keep your NT domain intact by promoting an existing BDC to PDC and shutdown the existing PDC.

Once you have successfully upgraded your Nt BDC to Windows 2000 Active Directory Controller, you have an Active Directory (mixed mode) network. You can now build a new Windows 2000 server domain contrller from scratch and join it to the AD as well as upgrade your existing PDCs to Windows 2000..

If you only have ONE PDC and NO BDC (many small IT shops fit this description)the following procedure is a must so that if you have to roll back to the way things were before, you can go back to the UNTOUCHED original PDC machine. If they have been using a single NT 4 PDC, chances are very good that it is time to retire that old server anyways. Hardware is cheap, cheap, CHEAP these days!

Well, I would have to say that the SAFEST way to do this is to take a new machine (if you have that luxury) that will become the new AD domain controller and install NT 4.0 Server and make it a BDC in your current domain. Once it is a BDC, you can promote it to the PDC. Once you do that, install Win2K with DDNS (might need WINS too for awhile). When thein-place upgrade is complete and running for awhile, you can upgrade the old server to Win2K and make it a domain controller as well for redundancy, or simply retire it.

Good luck.
Chuck

Microsoft actually has a pretty good white paper or something on this. We used it in my MCSE classes. Sorry I don't have the link or name.

What the other people suggested doing -BEFORE- you migrate is excellent advice, and crucial to CYA. With those preliminary steps in place, you won't believe how easy the migration process is. Active Directory rocks.

Pete

We haven't gone through the upgrade yet, but everything I've read about having a "safety net" says to take the BDC offline before doing the upgrade.

isn't there a active directory migration tool (ADMT) available now that you can use to carry over all objects from a NT to 2000? I understand that it actually works you should check it out.

Use the ADMT v2 downloadable from Microsoft Win2K website

ADMT v2 can even "migrate" user password

Use the ADMT v2 downloadable from Microsoft Win2K website

ADMT v2 can even "migrate" user password

I also think that ADMT is the safest way to go. MS now has version 2 at
http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

1) Plan, plan and more planning
-Microsoft has ample free resources and checklists to help plan a migration
2) Redundancy and recoverability
-whatever method you choose, ensure that you can "rollback and recover" in case of disaster
3) ADMT is the recommended way to go. It has several wizards that will help you through the SAM and service etc. migrations and there are "test modes" as well as other features specifically designed to provide some fault tolerence and recoverability during the migration process.

2 method of WinNT to Win2K migration:

- in-place upgrade (faster, more straight-forward, however, this is still a "big-bang" approach. so, impt to ensure there's always an offline BDC. SID will stay. can remain as mixed mode permanently after migration, ie. can have NT4 PDC/BDCs + Win2K DCs)

- new prestine tree (setup a new AD forest, and use ADMT v2 to duplicate accs, gps, etc from old NT domain. SID will change since new domain, but with SIDHistory field to keep the old SIDs, most ACLs should have no problem. The new AD forest will need to be in native mode straight-way, ie. no NT4 PDC/BDCs in the forest)

good references:
- http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/sdgintro.asp
- http://www.syngress.com/book_catalog/76_winad/76_ad_ce_02.htm

It appears to me, that due to the new universal trust relations between domains in a forrest, any domain-admin of a particular domain becomes now an admin through all domains of the forrest. Assuming that this is true, and assuming further that I want to inhibit another admin from becoming admin of "my" domain, then I would have to create separate forrests instead of domains. In a small or medium sized network that might proove a big cannon for a small bird.

Is there any other way to achieve it?

Regards
Uwe

Having a trust setup only allows you to give access to resources to accounts elsewhere that you want to. Other Domain Admins will not become admins in your domain, unless you make it that way by adding their domain admins groups to yours once in native mode or their specific accounts to your domain admins group. The enterprise admins, which resides at the forest level, however will have access to your domain inherently.

Another beauty of AD is the Group Policy. However, the original Group Policy mgt snap-in is not so user-friendly. Just get a WinXP SP1 or Win2k3 non-DC server join in the Win2K forest, and install the GPMC (GP Mgt Console).

It does a lot of wonder if you use it properly. But, a pity is that it only works for Win2K and above machines.

What is the benefits of creating DOMAIN
pls. send me the list of benefit what i can take of domain