Hey Tony, I wouldn't really agree to the legwork bit => you have a whole lot of cleanup to do when using upromote or the other tools as you can't just take the box as it is and happily join it to the Domain A anyways. There's a ton of cleanup and testing you'll have to do and if the final plan is to go to 2003 on the server anyways, then you might as well "do it right"... ;-)
I'm not so worried about the supportability thing - people need to decide for themselves if they want/need the support for their fileservers. I'm more worried about keeping the security intact => ofcourse, this could be a non-argument if the hierarchy is very flat and you could just as well reset the permissions manually after breaking the security on the box. This could lead to a whole new approach => backup the data and do a brand-new OS install on the server. Depending on it's setup, you could even keep the data-volumes and just concentrate on re-creating shares and setting the correct permissions ;-) Rgd. using separate forest or joining the existing one during upgrade of an NT4 domain => usually you'd expect this to work nicely since now all objects are in one forest and you could more or less easily move them around (via ADMT or movetree). You'd still need to worry about the group scopes so that moving the groups works well (e.g. should change all groups from Domain B to UGs prior to moving them to Domain A). => the difficult piece are the profiles on the clients. When collapsing Domain B into Domain A, you'd obviously MOVE the users from one domain to another. Altough the users will keep their GUIDs which is unique in the forest, but they'll still get a new SID in Domain A. => the challenge now is, that you won't have the TIME to prepare the PROFILES on the clients for the moved user's SID, but the user�must logon to Domain A since his account in Domain B is gone... I can hear you argue, that eversince Windows 2000, the profile location on clients was updated to work with GUIDs and as this remains the same, the moved users should still get the same profile... - right? => obviously won't work for NT4 clients (hopefully not many around) => but XP also has an issue, as it won't update _existing_ profiles on a client with the GUID of an AD account in the client's registry (Windows 2000 clients will do this and are thus exempt from this problem) So in the end, when you use different forests, it gives you more time to perform the actual migration and works pretty straight forward. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, October 22, 2004 4:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] BDC upgrade Hi Guido I fully agree that this would be the safest method, especially when considering preservation of ACLs, etc. It does however involve a lot of legwork. :-) I was interested by your suggestion to use separate forests. What issues have you come across with collapsing domains within a forest? Tony ---------- Original Message ---------------------------------- From: "Grillenmeier, Guido" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Oct 2004 16:29:36 +0200 you say you'd want to "upgrade this BDC to a 2003 member server", so I assume you don't have an issue with running W2k3 on the box itself - correct? If that's the case, I'd go down the path you've mentioned, instead of using tools like upromote or alike - this will ensure that you keep the security of the ACLs on your files intact so that users from Domain B will still be able to access their resources on this box after you've migrated the users to Domain A, which you'll likley do anyways. The key is that after you've udated Domain B to AD and switched to "native" mode (i.e. both DCs are now 2003), you can demote your FileServer to a normal member server and both domain local and global groups will still apply to the box. You can then change the scope of the groups (e.g. all to global) prior to migrating the server to Domain A => the groups will then still apply on the ACLs of the server when your users from Domain B try to access the FileServer resources. After you've migrated all uses, groups and computer to Domain A (with SIDhistory using ADMT or some other tool) and have re-acled the server, you can then change the scope of the groups again to meet your needs. BTW, you do have the choice to join your existing AD forest (from Domain A) during the upgrade of Domain B to 2003. I'd think twice if you want to do this or if you wouldn't want to keep it a separate forest during as you want to migrate it into Domain A anyways. Domain Collaps in the same forest has it's own set of issues. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Thursday, October 21, 2004 12:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] BDC upgrade Hi all, I'm merging/upgrading some NT 4 domains together. Domain A and Domain B are both account and resource domains. I've upgraded Domain A to 2003, and am planning to migrate users and computers from Domain B into Domain A using ADMT v2. Domain B is small. In fact when I took over it consisted of a single PDC that had all files on it. I've since added a second DC and transfered the PDC role to it. So, to get to my question: The BDC in Domain B has all the files of the Users I am going to be transfering. Is there any way to upgrade this BDC to a 2003 member server without upgrading the domain to 2k3 AD first? I would then just move it to domain A as a member server using ADMT. From what I've read it seems the only way would be to upgrade the PDC to 2k3, then upgrade this bdc to 2k3 then dcpromo it down to a member server. Is this the route I have to take, or is there an easier way? Thanks in advance for the help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
