Active Directory Functionality Level and Trust

At the moment, I'm getting ready to do a pristine migration of NT to 2003. So right now, I have one DC in 2003 that run an AD in "Windows 2000 mixed" functional level with a two-way trust to a NT 4 Domain.

At the moment, I can take AD User and add them in NT 4.0 Security Group but I'm unable to add NT users into AD Group. Only the Universal Groups can contain users from another domain in an AD but right now, I cannot create Universal group because my AD is not in Windows 2000 native or Windows 2003 functionality level.

Question : Will raising my AD functionally level to Windows 2000 native or Windows 2003 will broke my two-trust between my 2003 AD and NT Domain??

Trusts are dangersous and sometimes thay fail badly forcing you to move ahead of schedule to get everything into the same domain.

I do remember that the NT trust mechanism is different to the Win2k trust mechanism. The thing I would fear is that in the course of changing the Win2k mode you would harm the trust. I have had a situation where a trust failed and it would not, under any circumstances, allow itself to be recreated and actually function. It makes for a few long weekends.... and I don't mean vacation.

SDK might not want them in the same domain. Otherwise just make the NT boxes DCs in the same domain as the 2003 box. Sometimes trusts are necessary. If you raise your level to active directory there is NO way for an NT box to recognize the structure and authenticate. I am sure there are workarounds but in a nutshell you are removing the conversion from AD to LanMan.

Since you are trying to create users from the NT group on the AD domain, I am assuming you are migrating?

Now I may be being fuzzy on NT administration but won't he lose all his existing users, permissions etc. if he changes domains on the NT server? That might be even more counterproductive.....

There is a tool to migrate them. I'll look around. That's exactly what I did, I was going to set up 2 domains and a trust since my old one is called olddomain and the new one is newdomain.net. My buddy said the was totally stupid since he upgrated about 10 of them so... I basically built the new domain, micrated them over then demoted the old domain controller and took it off the domain then back on the new domain. Sounds simple but it took me 2 days. I am really trying to rack my brain. This is where a journal comes in handy. The old NT users will come over with no problem.

//EDIT found some notes. SDK is doing exactly what I did. That is how you migrate an old domain to a new one. Working on it....

Microsoft has a Migration tool.... but it's about a generation out of time right now since NT and the latest SP's of Win2k/Win2k3 are probably so far removed from when the tool was written, (and probably doesn't get updated along with the newer systems).

I chose not to use the migration tool because I saw sufficient bad experiences it made me leary. I chose to recreate the domain and the 350 users manually bit-by-but and move apps to standalone servers as needed until the manual migration was complete. It worked fine.... Bit in the real world my domain is pretty small.... I don't know how big we are talking about with SDK's domain so I might be utterly unuseful to him.

Just... "giving input".... :D

After going over some notes I really didn't do it exactly like that. But It worked like a charm for me, besides we had to use several old NT servers and keep them working. My biggest issue was DNS since I was focused on the box of WINS.

SDK, At this point you should have backed up your NT server then to be safe I added another crap machine and made it an NT BDC and left it over night to fully sync the domain. Then the next day I had a BDC with all the NT domain settings -just in case. Now take that machine OFF the network.

You can't migrate anything to the AD Domain until the NT box has had AD components installed, that is the migration tool. Now that you have an NT BDC off the network you can upgrade the NT box since if disaster strikes you can put it on and then promote it to PDC. While you restore the fuxored one from tape. So insert the Win2k disk and let it detect that you have a PDC and upgrade it to Win2k, which will get you the AD components.

It sould then run the migration wizard or dcpromo.exe when it reboots. Either way dcpromo.exe will run, this is actually what copies the groups over to AD. You will need all the AD info and your network config as far as active directory goes. NEVER NEVER NEVER cancell this process after you have started the dcpromo or active directory wizard. I actually wrote NEVER NEVER NEVER in my notes. ;) You will also have to decide about forests and trees. New forest, new tree etc.. DNS and a host of others including deciding to enable or disable NULL sessions. If you will still require RAS on old boxes that are pre-2000 then you should keep it, but I would verify those settings.

At this point I begin to wonder, since you were ready to change the AD to mixed mode then you only have one NT box right? Otherwise all the other NT based BDC will REQUIRE mixed mode to continue to operate. If not Change it to Native and rejoice.

I am working off of notes so if someone sees a glaring problem let me know.

Road: I'm doing a pristine migration. ļ I have 100 users on 2 NT domain that I want to merge into one Windows 2003 Domain and decided that it was easier for me to that.

At the moment, my file server is a NT 4.0 server PDB who dieing. The NTFS permission on the server is horrible. Most of them are do using local group. I have a new file server that I want to move data on it. I want to recreate NTFS permission so that users of both domains can access them; basically having user SimonT of Domain NT and user SimontT of AD in the same AD group and give permission on NTFS using the AD group. When NT domain dies, I will just remove NT domain user from AD group.

But right now I'm stuck in Windows 2000 mixed mode and I cannot create Universal group. Universal group are only type of group that can contain user of another domain.

While I know that all DC must be Windows 2003 before raising domain functionality level to 2003, I don't know if this applies to trust between domain or just the domain himself.

Road : I'm not updating my NT domain.. This is not option for me at the moment.

Hey SDK I was out of pocket for a couple of days. Based on what you have said, you would still use my method just to get them on the new domain. I'll ask around though and see if anyone else has been in your situation. Wait you are replacing the old server so all those old NT file premissions will be gone. After migration the users will be in active directory and you can move them in and out of security groups at will. To my knowledge those old permisisons stay on the NT box. Unless you actually change them in AD. But that is just and observation I haven't actually looked at it. You could create a new domain then follow the steps to migrate each to the new domain. That is the only way your are going to get a clean migration? Yuo need some more temp boxes I would think to get what you want.

Quote:

---

SimonT of Domain NT and user SimontT of AD in the same AD group and give permission on NTFS using the AD group. When NT domain dies, I will just remove NT domain user from AD group.

---

Why you are meging the domains? Just migrate SimonT and his NT Server to the AD and control NT permissions via AD. I have given out some contradicting info because I am not sure what you have already. 2 domains, each with their own PDC and BDCs? One new server with AD installed and it's own domain?

I don't want to migrate a NT 4.0 to 2003. I'm not familiar enough with that and to be honest; I don't have the time and equipment to make a testing lab of that migration.

I think I'll have to make the test myself so see a AD with Domain Functionnally 2003 can make a trust with a NT 4.0 domain.

The only way to do that SDK is in mixed mode. If the intention is to sunset your NT boxes you have too migrate or build the accounts from scratch like Tiger did. But either way the AD has to be in mixed mode to communicate with NT. There may be some middleware component that would do it but then that would cost money. You are working with some limitations here. But there is nothing wrong with doing that test just be careful. You don't want to create a test environement but if you turn off Lanman and the integration it has with active direcetory and then it doesn't work and you can't get it back, you'll find yourself in a pickle. The relationship with AD and NT is very "delicate". You won't need a beefy computer to just create a temp box to do the migration. In fact I was thinking. You could just build a crap box, toss on NT - join the NT Domain then sync the domain, then take the box off and connect it to your AD box, promo it to an NT primary domain controller - then play with the settings. That way you won't mess up any existing domains.

So you are telling me that I need to stick to mixed mode if I have a Nt 4.0 trust? Right?

SDK
this http://support.microsoft.com/?kbid=308195 is about W2K and NT4.0 trust relationships, that you already knows

Some ppl that ive talked here told me that there is no diference between W2K and W2K3 on that matter; so you can establish a bi-directional trust relationship between W2K (even on native mode) and NT4.0, and that "feature" is still available on W2K3. They also gave the follow 2 links as a reference for trouble shooting, K296403 in special.


This http://support.microsoft.com/?kbid=296403 can help you on some problems about trust relationship
This http://support.microsoft.com/?kbid=228477 may help if you got in trust relationship problems.

Please notice that i never did that operation by myself :)

So i advice you to try on lab before :P

I think I'll have to try it in a lab to be sure at 100%.

Quick News: I didn't do the test yet but I talk with consultant and he said that upgrading my domain functional level to Windows 2003 will NOT affect my trust. I'll check that out tomorrow probably.

After wading through all of the articles posted here, I know agree that it won't be effected. Although the trust relationship is AD is very very testy.

Well, I did the test and upgrading my forest level to 2003 didn't affect my trust with NT.

But sadly, even after I created a Universal Group, I still cannot add a user from my NT domain into any AD group. Anyone got idea on how it's done?

I've said it and Road said the same....

Trust relationships are messed up in Windows domains... If you can manage to create them, (which isn't hard in a similar domain to similar domain situation but can be more difficult in a domain system using different OS's), then you can't guarantee that they will stay there. I have been "bitten" by trusts a couple of times.. The funny thing is - I no longer trust trusts... When they fail thay can be unrepairable and can cause huge headaches depending upon how much you rely on that trust..

I'm pretty sure that if M$'s tech support were _really_ honest they'd tell you not to trust trusts too....

Thats my $2.00... and I will stand by it....

I don't think it's a trust problem. The trusts work perfectly on both ways right now. An AD users can access any data on NT Domain and any NT users can access the AD DNS services right now.

I think more the problem lie in how Windows 2003 look around for other domain. I'll google that.

The answer you seek is not that apparent. Your accounts will have to be migrated to W2K because of the ASD. (Look to Novell 4.5...that is where Microsoft got/bought this technological innovation from!) Although you do not have to worry about your TRUST relationships...as soon as you enacted an AD you told your network that the new Sheriff in town was W2K. Your NT domain will still exist, but all changes that you want to impose on your network (including policies, user rights, etc.) will have to be declared by the FOREST/TREE!