Active Directory Functionality Level and Trust

[SDK]

At the moment, I'm getting ready to do a pristine migration of NT to 2003. So right now, I have one DC in 2003 that run an AD in "Windows 2000 mixed" functional level with a two-way trust to a NT 4 Domain.

At the moment, I can take AD User and add them in NT 4.0 Security Group but I'm unable to add NT users into AD Group. Only the Universal Groups can contain users from another domain in an AD but right now, I cannot create Universal group because my AD is not in Windows 2000 native or Windows 2003 functionality level.

Question : Will raising my AD functionally level to Windows 2000 native or Windows 2003 will broke my two-trust between my 2003 AD and NT Domain??

[Tiger Shark]

Trusts are dangersous and sometimes thay fail badly forcing you to move ahead of schedule to get everything into the same domain.

I do remember that the NT trust mechanism is different to the Win2k trust mechanism. The thing I would fear is that in the course of changing the Win2k mode you would harm the trust. I have had a situation where a trust failed and it would not, under any circumstances, allow itself to be recreated and actually function. It makes for a few long weekends.... and I don't mean vacation.

[RoadClosed]

SDK might not want them in the same domain. Otherwise just make the NT boxes DCs in the same domain as the 2003 box. Sometimes trusts are necessary. If you raise your level to active directory there is NO way for an NT box to recognize the structure and authenticate. I am sure there are workarounds but in a nutshell you are removing the conversion from AD to LanMan.

Since you are trying to create users from the NT group on the AD domain, I am assuming you are migrating?

[Tiger Shark]

Now I may be being fuzzy on NT administration but won't he lose all his existing users, permissions etc. if he changes domains on the NT server? That might be even more counterproductive.....

[RoadClosed]

There is a tool to migrate them. I'll look around. That's exactly what I did, I was going to set up 2 domains and a trust since my old one is called olddomain and the new one is newdomain.net. My buddy said the was totally stupid since he upgrated about 10 of them so... I basically built the new domain, micrated them over then demoted the old domain controller and took it off the domain then back on the new domain. Sounds simple but it took me 2 days. I am really trying to rack my brain. This is where a journal comes in handy. The old NT users will come over with no problem.

//EDIT found some notes. SDK is doing exactly what I did. That is how you migrate an old domain to a new one. Working on it....

[Tiger Shark]

Microsoft has a Migration tool.... but it's about a generation out of time right now since NT and the latest SP's of Win2k/Win2k3 are probably so far removed from when the tool was written, (and probably doesn't get updated along with the newer systems).

I chose not to use the migration tool because I saw sufficient bad experiences it made me leary. I chose to recreate the domain and the 350 users manually bit-by-but and move apps to standalone servers as needed until the manual migration was complete. It worked fine.... Bit in the real world my domain is pretty small.... I don't know how big we are talking about with SDK's domain so I might be utterly unuseful to him.

Just... "giving input"....

[RoadClosed]

After going over some notes I really didn't do it exactly like that. But It worked like a charm for me, besides we had to use several old NT servers and keep them working. My biggest issue was DNS since I was focused on the box of WINS.

SDK, At this point you should have backed up your NT server then to be safe I added another crap machine and made it an NT BDC and left it over night to fully sync the domain. Then the next day I had a BDC with all the NT domain settings -just in case. Now take that machine OFF the network.

You can't migrate anything to the AD Domain until the NT box has had AD components installed, that is the migration tool. Now that you have an NT BDC off the network you can upgrade the NT box since if disaster strikes you can put it on and then promote it to PDC. While you restore the fuxored one from tape. So insert the Win2k disk and let it detect that you have a PDC and upgrade it to Win2k, which will get you the AD components.

It sould then run the migration wizard or dcpromo.exe when it reboots. Either way dcpromo.exe will run, this is actually what copies the groups over to AD. You will need all the AD info and your network config as far as active directory goes. NEVER NEVER NEVER cancell this process after you have started the dcpromo or active directory wizard. I actually wrote NEVER NEVER NEVER in my notes. You will also have to decide about forests and trees. New forest, new tree etc.. DNS and a host of others including deciding to enable or disable NULL sessions. If you will still require RAS on old boxes that are pre-2000 then you should keep it, but I would verify those settings.

At this point I begin to wonder, since you were ready to change the AD to mixed mode then you only have one NT box right? Otherwise all the other NT based BDC will REQUIRE mixed mode to continue to operate. If not Change it to Native and rejoice.

I am working off of notes so if someone sees a glaring problem let me know.

[SDK]

Road: I'm doing a pristine migration. ļ I have 100 users on 2 NT domain that I want to merge into one Windows 2003 Domain and decided that it was easier for me to that.

At the moment, my file server is a NT 4.0 server PDB who dieing. The NTFS permission on the server is horrible. Most of them are do using local group. I have a new file server that I want to move data on it. I want to recreate NTFS permission so that users of both domains can access them; basically having user SimonT of Domain NT and user SimontT of AD in the same AD group and give permission on NTFS using the AD group. When NT domain dies, I will just remove NT domain user from AD group.

But right now I'm stuck in Windows 2000 mixed mode and I cannot create Universal group. Universal group are only type of group that can contain user of another domain.

While I know that all DC must be Windows 2003 before raising domain functionality level to 2003, I don't know if this applies to trust between domain or just the domain himself.

[SDK]

Road : I'm not updating my NT domain.. This is not option for me at the moment.

[RoadClosed]

Hey SDK I was out of pocket for a couple of days. Based on what you have said, you would still use my method just to get them on the new domain. I'll ask around though and see if anyone else has been in your situation. Wait you are replacing the old server so all those old NT file premissions will be gone. After migration the users will be in active directory and you can move them in and out of security groups at will. To my knowledge those old permisisons stay on the NT box. Unless you actually change them in AD. But that is just and observation I haven't actually looked at it. You could create a new domain then follow the steps to migrate each to the new domain. That is the only way your are going to get a clean migration? Yuo need some more temp boxes I would think to get what you want.

SimonT of Domain NT and user SimontT of AD in the same AD group and give permission on NTFS using the AD group. When NT domain dies, I will just remove NT domain user from AD group.

Why you are meging the domains? Just migrate SimonT and his NT Server to the AD and control NT permissions via AD. I have given out some contradicting info because I am not sure what you have already. 2 domains, each with their own PDC and BDCs? One new server with AD installed and it's own domain?