AD - Which is the best to migrate first? Server or Workstation

By Pinju25 ·
First time caller...

Now the answer may seem rather obvious, but as in most cases the scenario changes things and I can't find an answer to really suit our situation.

We have our AD forest and the existing NT users already have the Exchange accounts in a AD domain using their NT credentials.

We're due to migrate the users to AD and the associated member server (we traditionally have one NT server local to the site, the rest of the infrastructure is remote.)

I'm a desktop guy traditionally and I'm charged with making sure the desktop has the same look and feel, albeit with an update OS etc. Now, here's where it gets tricky. The users themselves currently log on to their PC using a generic account, not their own (local profile, not roaming) and then sign into Outlook via their own credentials. We're moving to a single sign-on at long last, so we can use groups and proper security.

Now, if any of the above makes any odds, should we ideally upgrade the member server first (I think so) or the workstations? The servers currently are on the NT domain and have no knowledge of the AD domain, so in effect I have to fudge the permissions...but also, as there was next to no security using the generic logons, I feel this is almost useless.

Anyway, I think I've rambled enough. I'd love to hear your comments.



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Cracks in Albion's Foundation

by BFilmFan In reply to AD - Which is the best to ...

First, you have a total mess on your hands; but, I am sure you know that.

The good news is that the users already have accounts in the AD domain where Exchange is running. In AD, user accounts are either mail-enabled or they are not mail-enabled.

So here is my advice:

Get Security Explorer first:

Create a one-way trust where the NT domain trusts the AD forest.

Use Security explorer to grant the AD user accounts permissions on the resources on the NT domain.

That will let you use security group membership to grant permissions.

Once you have all of the security permissions in place, remove the NT server from the NT domain and place it into the AD forest.

If that NT server is a PDC, then you have a much larger problem, as you can't take it out of the NT domain. You will either be stuck with it as is or you will have to have a new server in the AD domain and move the files and folders to it.

Depending on the size of your environment, that could be 6 months to 2 years of work there.

Related Discussions

Related Forums