Printable View
I don't want to migrate a NT 4.0 to 2003. I'm not familiar enough with that and to be honest; I don't have the time and equipment to make a testing lab of that migration.
I think I'll have to make the test myself so see a AD with Domain Functionnally 2003 can make a trust with a NT 4.0 domain.
The only way to do that SDK is in mixed mode. If the intention is to sunset your NT boxes you have too migrate or build the accounts from scratch like Tiger did. But either way the AD has to be in mixed mode to communicate with NT. There may be some middleware component that would do it but then that would cost money. You are working with some limitations here. But there is nothing wrong with doing that test just be careful. You don't want to create a test environement but if you turn off Lanman and the integration it has with active direcetory and then it doesn't work and you can't get it back, you'll find yourself in a pickle. The relationship with AD and NT is very "delicate". You won't need a beefy computer to just create a temp box to do the migration. In fact I was thinking. You could just build a crap box, toss on NT - join the NT Domain then sync the domain, then take the box off and connect it to your AD box, promo it to an NT primary domain controller - then play with the settings. That way you won't mess up any existing domains.
So you are telling me that I need to stick to mixed mode if I have a Nt 4.0 trust? Right?
SDK
this http://support.microsoft.com/?kbid=308195 is about W2K and NT4.0 trust relationships, that you already knows
Some ppl that ive talked here told me that there is no diference between W2K and W2K3 on that matter; so you can establish a bi-directional trust relationship between W2K (even on native mode) and NT4.0, and that "feature" is still available on W2K3. They also gave the follow 2 links as a reference for trouble shooting, K296403 in special.
This http://support.microsoft.com/?kbid=296403 can help you on some problems about trust relationship
This http://support.microsoft.com/?kbid=228477 may help if you got in trust relationship problems.
Please notice that i never did that operation by myself :)
So i advice you to try on lab before :P
I think I'll have to try it in a lab to be sure at 100%.
Quick News: I didn't do the test yet but I talk with consultant and he said that upgrading my domain functional level to Windows 2003 will NOT affect my trust. I'll check that out tomorrow probably.
After wading through all of the articles posted here, I know agree that it won't be effected. Although the trust relationship is AD is very very testy.
Well, I did the test and upgrading my forest level to 2003 didn't affect my trust with NT.
But sadly, even after I created a Universal Group, I still cannot add a user from my NT domain into any AD group. Anyone got idea on how it's done?
I've said it and Road said the same....
Trust relationships are messed up in Windows domains... If you can manage to create them, (which isn't hard in a similar domain to similar domain situation but can be more difficult in a domain system using different OS's), then you can't guarantee that they will stay there. I have been "bitten" by trusts a couple of times.. The funny thing is - I no longer trust trusts... When they fail thay can be unrepairable and can cause huge headaches depending upon how much you rely on that trust..
I'm pretty sure that if M$'s tech support were _really_ honest they'd tell you not to trust trusts too....
Thats my $2.00... and I will stand by it....
I don't think it's a trust problem. The trusts work perfectly on both ways right now. An AD users can access any data on NT Domain and any NT users can access the AD DNS services right now.
I think more the problem lie in how Windows 2003 look around for other domain. I'll google that.