Migration for NT 4.0 to Windows Server 2008 Domain Controller

[Ray Chiang]

Hi,

Is possible to upgrade NT 4.0 to Active Directory 2008?

Thank you,

Ray

[Meinolf Weber]

Hello Ray,

Not supported if i understand this correct:

Install a new Windows Server 2008 forest
When you install AD DS to create the first domain controller in a new Windows
Server 2008 forest, keep the following considerations in mind:

. You must make forest and domain functional level decisions that determine
whether your forest and domain can contain domain controllers that run Microsoft
Windows® 2000 Server, Windows Server 2003, or both.

. Domain controllers running the Microsoft Windows NT® Server 4.0 operating
system are not supported with Windows Server 2008.

. Servers running Windows NT Server 4.0 are not supported by domain controllers
that are running Windows Server 2008.

. The first Windows Server 2008 domain controller in a forest must be a global
catalog server and it cannot be an RODC.



Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> Is possible to upgrade NT 4.0 to Active Directory 2008?
>
> Thank you,
>
> Ray
>

[sajidaniel]

Hello Ray,

Just to make it more understandable, you can ofcourse upgrade to server 2003
SP1(minimum OS needed) domain and then to 2008.

[David Shen [MSFT]]

Hello Ray,

Thanks for using newsgroup.

What Meinolf said is correct. We cannot directly upgrade Windows NT4.0
domain to Windows Server 2008 domain.

In order to smoothly upgrade the domain, here are two recommended upgrade
routes for your reference.

Route 1.

A. Upgrade Windows NT 4.0-Based PDC to Windows Server 2003-Based domain
controller.

For more detail steps, please refer to:

How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based
Domain Controller
http://support.microsoft.com/kb/326209

Moving from Windows NT 4.0 Server to Windows Server 2003
http://download.microsoft.com/downlo...3-b665-8bd62fa
bbc1e/How-to-Migrate-from-NT-to-WS2003.pdf

B. Then upgrade Windows Server 2003 based domain to Windows Server 2008
domain.

For more detail steps, please refer to:

Upgrading Active Directory Domains to Windows Server 2008 AD DS Domains
http://technet2.microsoft.com/window...1be5f-df14-40b
2-b176-2b1852a51e611033.mspx?mfr=true

Route 2.

We may also use ADMT 3.1 to migrate from Windows NT 4.0 source domain to
Windows Server 2008 domain.

Since ADMT 3.1 Beta has been available for public evaluation. If you are
interested, please refer to the steps provided in the following below link
to apply for ADMT 3.1 Beta.

ADMT 3.1 Beta
http://blogs.technet.com/ad/archive/...-3-1-beta.aspx

Hope it helps.

David Shen
Microsoft Online Partner Support

[Ray Chiang]

Hi David,

Thank you for your information.
Do you mean that I cannot use in-place upgrade method for doing a migration,
but I can build a new forest and use ADMT to migrate the user's accounts?

If route 2 is ok, this is a great news for me. It is because my company
would like to change a domain name, so I plan to use ADMT for doing a
migration also.

[David Shen [MSFT]]

Hello Ray,

What Meinolf said is right. You can migrate domain resource with ADMT from
the old domain to the new domain.

For you convenience, I have list a ADMT migration guide just for your
reference.

ADMT v3 Migration Guide
http://www.microsoft.com/downloads/d...770-3bbb-4b9e-
a8bc-01e9f7ef7342&DisplayLang=en

Hope it helps.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hello Ray,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

David Shen
Microsoft Online Partner Support

[Ray Chiang]

Hello David,

I may use route 1 for doing a migration. I will upgrade NT domain to 2003DC
in first phase and upgrade to 2008DC once 2003DC was working properly

I would like to ask for more information for this migration.
My company was running “PDC + Exchange 5.5” in same server. The hardware of
PDC is not support for doing in-place upgrade. I cannot install the other BDC
for doing in-place upgrade because Exchange 5.5 was installed on PDC.
Therefore, I plan to use ADMT for doing a migration. However, I am not sure a
sequence for upgrading a NT 4.0 and exchange 5.5 to AD 2003 and exchange 2003.
Could you please give me some advice?

Thank you.
Ray

"David Shen [MSFT]" wrote:

> Hello Ray,
>
> I am just writing to see how everything is going. If you have any updates
> or need any further assistance on this issue, please feel free to let me
> know. I am glad to be of assistance.
>
> David Shen
> Microsoft Online Partner Support
>
>

[David Shen [MSFT]]

Hello Ray,

According to the description, this migration issue seems to be related to
Exchange

Here is Windows Server Migration newsgroup and we mainly focus Windows
Server side migration issues here.

However, you are welcome to post Exchange related questions to our Exchange
queues:

Public.microsoft.exchange.admin

The engineers and newsgroup members there are more experienced on
Exchange-related issues, and should be able to provide you with suggestion
on the Exchange related issue.

Having said the above, I would like to share some knowledge with you.

Common Mistakes When Upgrading Exchange 5.5/2000 To a Exchange 2003
http://support.microsoft.com/kb/555262

Considerations When You Upgrade to Exchange Server 2003
http://support.microsoft.com/kb/822942

Hope all the information will be helpful for you.

Thanks for your understanding.

David Shen
Microsoft Online Partner Support

[sajidaniel]

hi,

We have a scenario like this.

We are migrated our NT to Win 2003 but still using NT as a file server. There is a trust relation between NT & 2003. So without any issues we are using both the servers. We made a mistake while creating Win 2003. It is a single label domain. MS does not support SLDN is future. So we are planning to put one more server with Win2008 and migrate AD from win 2003. But still we want to use NT as a file server. How do we do this.
Expert advise is needed.

Thanking you

Saji Daniel

[David Shen [MSFT]]

Hi Customer,

It seems there are multiple issues posted in this thread. Generally, we
request one question per post in the newsgroups. In order to concentrate
fully on each of these issues and provide clarity for others that may be
following here, we ask that you post them as separate threads.

In that way each issue can receive full attention from the Support
Professional to whom it is assigned. This will also make the thread more
clear and consistent for your reference. Please feel free to open different
posts for these questions. We will be very glad to work with you.

Thank you for your patience and understanding.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hi saji,

According to the description, you have migrated Windows NT 4.0 domain to
Windows Server 2003 domain, which is a single label domain. And you want to
migrate the single label domain to Windows Server 2008 domain, meanwhile
you wish to preserve the file service on Windows NT 4.0. If I have some
misunderstanding, please feel free to let me know.

Analysis and Suggestion
=====================

As you descript, you are using Windows NT 4.0 file server and Windows
Server 2003 after migration domain to Windows Server 2003 system. For the
Windows NT 4.0 file server, I would like to suggest that you first migrate
the file server to the Windows Server 2003 computer, and then perform the
domain migration from the single label Windows 2003 domain to Windows
Server 2008 domain. Afterwards, you may preserve the file service on the
Window Server 2003 computer.

For more detailed steps about migration file server, please refer to
(05_Chapter_4_NT4FilePrint.doc) in the following link

Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/downloads/d...6a0-76f0-4e25-
8de0-19544062a6e6&DisplayLang=en

Please perform a domain migration via ADMT v3.1 from the source Windows
2003 domain to the target Windows 2008 domain.

You can download this ADMT toolkit from the following link:

Active Directory Migration Tool version 3.1
http://www.microsoft.com/downloads/d...d01-7dca-413c-
a9d2-b42dfb746059&displaylang=en

Migrating and Restructuring Active Directory Domains Using ADMT v3.1
http://www.microsoft.com/downloads/d...919-1BA5-41CA-
B2F3-C11BCB4857AF&displaylang=en

The Password Export Server version 3.1 (PES v3.1) enables password
migrations during account migrations in an Active Directory Domain Services
infrastructure. It can be downloaded from the following links:

Password Export Server version 3.1 (x32)
http://www.microsoft.com/downloads/d...C3C-4757-40FD-
8306-68079BA9C773&displaylang=en

Password Export Server version 3.1 (x64)
http://www.microsoft.com/downloads/d...C61-1C00-4DA7-
9C0D-130200AED21A&displaylang=en

Hope it helps.

David Shen
Microsoft Online Partner Support

[sajidaniel]

Dear david,

I still want to use Win NT as a file server. Is it possible to do Trust relation between Win 2008 and Win NT.

thanking you

Saji Daniel

[David Shen [MSFT]]

Hi Saji,

Sorry for my late reply.

According to my research, we can establish the trust relationship between
Windows NT4 to Windows 2008. Before we establish the trust, we need to
changes the security setting in one GPO that is shown below:

Make sure that the following settings are configured:

RestrictAnonymous and RestrictAnonymousSam:Network access: Allow anonymous
SID/Name
translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
DISABLED
Network access: Let Everyone permissions apply to anonymous users
ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and shares
DISABLED
LM Compatibility:Network security: LAN Manager authentication level "LM &
NTLM
responses" or "Send LM & NTLM - use NTLMV2 session security if negotiated"
SMB Signing, SMB Encrypting, or both:Microsoft network client: Digitally
sign
communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees)
ENABLED
Microsoft network server: Digitally sign communications (always) DISABLED
Microsoft network server: Digitally sign communications (if client agrees)
ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible)
ENABLED
Domain member: Digitally sign secure channel data (when it is possible)
ENABLED
Domain member: Require strong (Windows 2000 or later) session key
DISABLED

For more reference, please refer to:

Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/?id=889030

Hope it helps.

David Shen
Microsoft Online Partner Support

[sajidaniel]

Dear david,

Thank you for your reply.I get reply only from you.

I have seen the article http://support.microsoft.com/?id=889030
The above article applies to Win2003.

Can we apply the same to Win 2008

Thanking you

saji daniel