NT Domain Controller dying?

[rburn99]

I have a compaq server running Windows NT Server SP6. Along with being the central location for our main applications it is also our domain controller. A while ago a problem began where I would start getting calls from employees with a range of problems but the bottom line of all the problems is connectivity. Whether it was a remote database not loading or not being able to log into a centrally located version control program or unable to access shared resources on another computer. Clicking on various pc's in Network Neighborhood would result in Access Denied on some.. others would continue to function. Rebooting the server solves the problem.. for a while. It has happened at intervals anywhere from weeks apart up to twice in the same day. I have no idea what it could be or even what to look for. I would like to switch over to another computer I have available with Windows 2003 Server installed on it that I could turn into a domain controller but I am really dreading what will happen when I take the NT domain controller offline.
So I guess my problem/question is twofold.
1. Any ideas on what I can check that might be causing the domain to crumble until I reboot the controller again?
2. Should I write down all the groups, computers and users and their permissions from the NT controller and manually enter them all into the new computer before plugging it into our network? Or is there a better way to switch from an NT domain controller to a 2003 controller. (I don't think the NT controller can be upgraded - NT partition, no memory, slow, and just too old)

Thanks,
Robb

[ProfessorU]

I never worked in an NT environment, but what you're experiencing could be a conflict of DHCP, where something else on your network is also trying to autoconfigure the network.
Are your workstations all XP? Seems like a no-brainer to migrate to 2003. I would give yourself some extra time to work out the bugs but once it's up you'll spend a lot less time on admin stuff. Maybe you can move a portion of the network over (e.g. the new server and your workstation) first to work out problems before you completely destroy the existing network.

[Tuttle]

The way to get from an NT4 domain to a Windows 2003 domain without having to recreate all your accounts, reassign permissions etc is to upgrade an NT4 machine to 2003.

If you can't (or don't want to) do that with real hardware (can't say I blame you), a virtual machine in something like Virtual PC is an excellent choice for a temporary domain controller. The basic process looks like this:

• Install NT4 as a Backup Domain Controller on the virtual machine (VM).
• Promote that new install to become the Primary Domain Controller.
• Upgrade the VM to Windows Server 2003. The domain will be upgraded during the process.
• Run "dcpromo" on the real Windows Server 2003 machine to also make it a domain controller.
• Transfer the FSMO roles to the real Windows Server 2003 machine.
• Run "dcpromo" on the VM to make it a regular server (not a domain controller anymore).
• Turn off the VM.

If you want to go that way then post back, and next week at work I'll dig up some of the references I used when I did this (and post more stuff on those FSMO roles).

[rburn99]

If you want to go that way then post back, and next week at work I'll dig up some of the references I used when I did this (and post more stuff on those FSMO roles).

This sounds like a plan. I would really appreciate it if you could please send me whatever you have on this.

Thank you,
Robb

[Tuttle]

Okay, a bunch of links to start with:

http://www.microsoft.com/downloads/d...0-19544062a6e6
http://www.microsoft.com/windowsserv...ntmigrate.mspx
http://www.microsoft.com/windowsserv...4tows03-2.mspx
http://technet2.microsoft.com/window...7ea4b1033.mspx

There's a whole bunch more stuff linked to from http://www.microsoft.com/windowsserv...4/default.mspx, but those looked the best at first glance. At least skim through a couple of them. Below is a quick adaptation of the process I drew up for a migration at work, but that was a different environment with different issues (half a dozen servers to replace, 30 offices in 2 countries etc). The more you know what to expect, the better you'll be able to deal with any minor unexpected things.

If you have time, I'd very strongly suggest setting up four virtual machines with another domain name (three pretend domain controllers and one pretend workstation on the domain) and doing a dry run of this as a test. Nothing beats experience. If you don't have time, I strongly suggest you make it. A PC with 1 GB of RAM can handle all four (256 MB for the 2003 boxes, 128 MB for the workstation and 64 MB for NT4); 2 GB is better if you have it.

I assume you're at least familiar with the management tools on both NT4 and 2003. If you want clarification on a step, just ask.

As for an example process, let's say we have:

• OldDC (existing NT4 PDC, physical)
• InterimDC (new NT4 BDC, VM)
• NewDC (existing 2003 server, physical

Then it goes like this:

Preparation

• Backup.
• Ensure the DNS server component is running on NewDC, and all PCs and servers are using it. I'm hoping this is already the case, but if you're still using the NT4 box for DNS you'll need to take care of this first.
• Install NT4 on InterimDC as a BDC.
• Use Server Manager for Domains to promote InterimDC to be the PDC.
• If you have the resources, I'd suggest using another VM to create another NT4 BDC (BackupDC), letting it replicate, then turning it off. If everything goes to hell, you can turn off all the other servers, bring this back online, promote it to PDC and recover from there.

The Actual Domain Upgrade

• Set the NT4Emulator and NeutralizeNT4Emulator registry keys on InterimDC (KB 298713). This stops workstations from locking themselves to Windows 2003 DCs only, so you can go back to the NT4 one as a last resort.
• Put the Windows Server 2003 CD in and upgrade InterimDC. You'll go through the Active Directory installation as part of the process -- you want to create the domain in a new forest. Doing a dry run with VMs and another domain will really help you know what to expect with this bit.

Promoting The Existing Windows 2003 Server

• Set the NT4Emulator and NeutralizeNT4Emulator registry keys on NewDC (KB 298713).
• Use Start | Run to launch "dcpromo" on NewDC and make it a domain controller in the existing domain.
• Using Active Directory Sites and Services, make NewDC a global catalog server (KB 313994).
• Using Active Directory Users and Computers, transfer the RID master, PDC emulator and infrastructure master roles (KB 324801).
• Using Active Directory Users and Computers, add your user to the Enterprise Admins and Schema Admins groups.
• Using Active Directory Domains and Trusts, transfer the domain naming master role (KB 324801).
• Using Active Directory Schema, transfer the schema master role (KB 324801).
• Using Active Directory Users and Computers, remove the user from the Enterprise Admins and Schema Admins groups.

Nuking The VM

• Use Start | Run to launch "dcpromo" on InterimDC and make it not a domain controller.
• Shut down InterimDC.

Then test. Things should work, and once you're happy you can remove those NT4Emulator and NeutralizeNT4Emulator registry keys. They're just because when a Windows 2000 or XP client sees an Active Directory domain controller, it'll refuse to talk to NT4 domain controllers from then on.

You can then go and remove BackupDC from the domain using Active Directory Users and Computers, and decomission OldDC as soon as convenient.