General discussion


Migrating NT domain directly to 2003 AD

By robert_dio ·
I have 300 users in an NT domain. I would like to migrate everything to a 2003 active directory structure.

Has anyone done this, and if so, what caveats do I need to watch for?

300 users
Want things from Outlook and Palm to transfer from NT account to 2003 account during migration.
Using the old NT domain in a trust relationship. Will this be adequate to let the new 2003 users have rights? I would hate to have to go back and reassign rights for 2003 AD objects. Got a better scenario?
Data will NOT be migrating to new 2K3 server.
NT server will NOT be upgrading to 2K or 2K3.
SMS and other utilities are not available to help. Most of this will have to be done 'on the fly'.

Any feedback would be a GREAT help!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by curlergirl In reply to Migrating NT domain direc ...

Well, I haven't done this with 2003, but I did do it with 2000, and I think it would be a very similar scenario. What I did was to set up an entirely new AD domain on the new 2K server and then migrate everything from the old domain to the new one. There are migration tools that are available from MS - primarily the AD Migration tool, which assists you in migrating your users from your old NT domain to the new AD domain; and if you have Exchange in the mix also there are tools for connecting Exchange 5.5 to AD and also, if it will be part of your plan, for migrating mailboxes from older versions of Exchange to 2000 or 2003. When I did this with Win2K, I was able to set up a trust relationship between the old NT domain and the new AD domain so that everything was pretty much transparent to the users as I moved programs, data and services to the new domain. Then, the last thing I did was to unjoin the workstation from the old domain and join the new one. I did this manually because I didn't really trust the migration tool to do it properly, plus I only had about 75 workstations to migrate rather than 300. So, you might want to migrate the workstations through the ADMT also.

Hope this helps!

Collapse -

by D_V Ant In reply to Migrating NT domain direc ...

We used software from Quest during our migration. It did a good job migrating the users settings from their old domain profile to the new one. All of their desktop settings, Outlook, and My Document folders were transfered. It even caught their pst files. There are other programs out there that can accomplish this for you. Quest is the only one I have had any experience with.

Collapse -

by bkinsey In reply to Migrating NT domain direc ...

We just did the same thing 4 months ago, and learned a few lessons. . .

First, your approach depends on your timeframe (i.e. all-at-once versus staged migration). If you can (or want to try to) do it all at once, plan on working all weekend, but it can be done with a network that size. In that case, you don't necessarily need a trust between the old NT domain and the new AD, although it won't hurt to put it in place, just in case you don't get done. If you're staging it over a period of time, and need to keep people connected to resources during the transition period, you definitely need to have a trust in place.

But a word of caution on trusts and user rights in the old domain; if I understand you correctly, you'll have data on servers in the old domain that you need your new AD users to access, using the same rights they had as NT users? If so, then no, a trust is not all you need, although it is required. The trust merely allows cross authentication, but if the AD accounts aren't in any of the ACL's in the NT domain, they'll function just like any other account without proper access. . . .

Solution to this problem in the next post; I'm getting too long in this one. . . .

Collapse -

by bkinsey In reply to

There is a SIDHistory option in the ADMT (Active Directory Migration Tool - worked very well for us, and is supposed to be a lot better than the 2000 version, which I never played with. What that does in essence is ties the users old SID from the NT domain to their new AD account as an additional field. That way, when your AD users accesses NT-based resources via your trust, the NT domain is passed both his AD SID, which doesn't match anything it knows about, and his old NT SID, which is still matched to all the ACLs in the NT domain. . . .

The other big thing to address is Exchange, if you're running it, and moving to 2003 along with your user/machine migration. If you create a new Exchange org for your 2003 server, you will break the Exchange migration wizard that would otherwise (allegedly; we made this mistake, and thus can't vouch for the "easy" process) seamlessly migrate your mailboxes and associate them with the new AD users. The supported method is to join your 2003 Exchange box to the same Exchange org your 5.5 box is in. Then the migration tool works.

If, for some reason, you need or want to have your 2003 org different from your 5.5 one, plan on an alternate means of migrating your mailboxes. ExMerge will do it, without any problems, but you'll need to be aware of the need, preferably before you find out the hard way and spend 2 days trying to find and learn a new utility. . . :-)

Related Discussions

Related Forums