Windows NT to 2003 Migration: The Final StepsBy Steven Vaughan-Nichols | Posted 2004-09-08 Email Print
WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT
How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >
Ready, set, and at last, go. Here are the final steps to take before you make that jump from Windows NT to Server 2003.
The countdown for Windows NT 4 Server is ticking away and with the new year, Microsoft officially pulls the plug on NT Server support. Smart resellers know their clients' migration from NT to Windows Server 2003 shouldn't be done in a year-end rush in between holiday shopping.
However, make sure you've got a lot of time for your conversion. If there's one thing, I've always found to be true about updating operating systems; the job always takes longer than you think it will. It's best to assume that you'll need at least a weekend for the job, and given a choice in the matter, a long weekend.
I prefer to start at the top with the PDC (Primary Domain Controller). If the existing PDC can't handle Server 2003, take a BDC (Backup Domain Controller) and upgrade it to a PDC while downgrading the old NT PDC to a BDC.
If none of the existing server hardware can handler Server 2003, set up the soon-to-be master computer with NT. Then, set it up as a BDC, promote it to a PDC, while demoting the old PDC to a BDC, and finally upgrade it to Server 2003.
Every now and again, I hear of someone trying to clone an existing NT PDC Server to a newer, better machine. And more often than not, they have endless configuration problems afterwards—if they're lucky enough to get the cloned system running in the first place.
Cloning, with programs such as Symantec Norton Ghost is great for workstations, but foolish with servers. Sure, it's a pain going though all the trouble of installing NT just to blow all the work away with a Server 2003 update. Then again, at least it works, which is more than I can say for cloning.
Once that job is done, I can upgrade, or replace, the other BDCs and ordinary servers, with Server 2003 installations over the course of several weeks.
Why? Because, if something goes wrong—and doesn't it always—I'd rather have just a couple of servers to contend with than the entire network server to troubleshoot.
If you haven't been using DNS (Domain Name Service) on your network, you'll need to set it up on at least one server. AD (Active Directory) requires DNS to resolve AD domain, site, and service names to IP addresses. You can use any version of DNS on any operating system, Linux, W2K (Windows 2000) or Windows Server 2003 DNS. On a primarily Windows-based network, I prefer to run DNS on Server 2003 AD and DNS on the same machine.
You're also going to be creating Containers that will hold your NT users, computers and groups. These objects are named Users, Computers, and something called Builtin.
No doubt, you can guess what it's in the first two but "Builtin" requires a bit of explanation. Builtins contain NT4's "built-in" local groups, like Administrators and Server Operators. These are the unique NT 4 local and network groups that you've set up, like the 'Accounting Guys from DC' or 'Pittsburgh Marketeers' that are placed in the Users folder.
Configuring the functional levels of your Server 2003 forest
As you upgrade your PDC, you should make it your first domain in your new Server 2003 forest. For your initial NT to 2003 upgrade, you can set your forest functional level to Windows Interim or Mixed levels.
Windows interim gives most of W2K's AD level forest functionality while also providing far better replication capabilities and speed. At the same time, you can continue to run NT 4.0 BDCs, but not W2K servers.
To support the widest variety of Windows servers, however, I suggest you'll want to run at Mixed level, which supports NT, W2K and Server 2003.
Curiously, if you're running at Mixed level and want to move up to Interim, you can't do it with the AD administrative consoles. Instead, you'll need to use a LDAP (Lightweight Directory Access Protocol) application to edit the value of the msDS-Behavior-Version attribute. A convenient tool is LDP, a Resource Kit utility, you'll find in Windows Support Tools.
For more on this tricky bit of domain-structure juggling see Microsoft's documentation.
The one case where you can't use a Mixed model is when you have NT groups with more than 5,000 users. W2K can't handle that many users in a group. In this case, when you upgrade a PDC to Server 2003 you'll want to use interim mode, and avoid using W2K server on your network.
The server upgrade will likely require updates to some of your client PCs. Windows 98, ME, and if you still have any, Windows 95 and Windows NT clients, all need to have the ADCE (Active Directory Client Extension) installed. Without it, these clients can't use AD-based network resources.
Even with it, they won't be able to use all of AD's functionality. For example, the extension doesn't support Kerberos.
In addition, Microsoft doesn't officially support ADCE for ME. In my experience, however, it has worked just fine.
To get the real goodness out of Server 2003 AD, though, don't stay at Mixed level. Instead, you need to upgrade your Domain Functional Level to Server 2003.
Again, unless you want to take your network's life in your hands and switch all your NT and W2K servers to Server 2003 in one giant leap, take it slowly. Instead, play it smart and work on Mixed level, migrating your servers in small steps.
What you'll gain from this eventual move is the means to have nested security groups, the capability to migrate security principals between domains, and the power to convert security groups to distribution groups and vice-versa.
For my money, the big winner with Sever 2003 Domain Functional Level though is the Domain Rename Tools. With it, you can rename domains and application directory partitions in a deployed Active Directory forest. It gives you control over your network structure that NT and W2K AD administrators can only dream of.
This is a lot of work and I've only touched on the high points here. But with NT4 Server's support clock striking midnight on December 31, if you want to stick with a supported Microsoft server-based solution, you must start your customers' migration process immediately.
Still, there is another alternate: replace NT4 with open-source Samba on Linux. For my take, on that approach, tune in next week.
The Channel Insider's Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late '80s and thinks he may just have learned something about them along the way.