Basically your suggestion is correct, but if you have 800 Win2k workstations you can appreciate the technical, logistical and PR problem this would create.
The problem and solution is thus: The problem: Win2k workstations, once given the opportunity to speak Win2k AD/Kerberos to a Win2k AD DC, will not automatically go back to WinNT/NTLM stuff. In a default upgrade scenario, if we put the old NT PDC back online because of some catastrophic problem during the AD upgrade, we would have to do the 'add to workgroup/add to domain' kind of thing. The solution: Prior to running the DCPROMO part of the NT to AD upgrade use your favorite registry editing tool to go the HKLM/System/CCS/Service/Netlogon/Parameters key and add the following REG_DWORD value: NT4Emulator = 1. This can be done on the NT PDC prior to starting the Win2k upgrade, or after the OS part of the Win2k upgrade but prior to the DCPROMO stuff. This hack is detailed in Q298713 and Q284937. It basically presents an NT front to clients from Win2k AD DCs, and is intended as a short-term fix for situations such as this. You would not keep this hack active for an extended period of time. Additionally, it prevents some types of communications that you would prefer to succeed, such as trying to promote another Win2k server to a DC in the new AD world. To get around that you go to the server you want to communicate with your new DC and add, in the same HKLM/System/CCS/Service/Netlogon/Parameters key, the REG_DWORD value NeutralizeNT4Emulator = 1. In our case, the window where any kind of backout would be contemplated is not big - two or three days at most. After that, kill the registry entries. This has been tested in our lab - what could go wrong?? Jon -----Original Message----- From: kanee [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 5:10 PM To: Exchange Discussions Subject: RE: NT to AD Backout Problem you need to remove those win2k workstations out of the domain into a workgroup, then reboot, then readd them back to the domain, this time when you add them to the domain they will pick up the correct nt domain from your nt servers. Even though your domain is the same name , win2k workstations have to be removed from the domain because they have a domain sid assigned in their registry which points to the win2k DC, since you took the win2k dc's offline, the win2k servers still are looking for that domain sid and your nt server does not have the same domain sid and thus the message trust has been broken. Remove them from the domain and add them back and all your win2k workstations will be fine. Let me know if that helped. thx -----Original Message----- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 3:06 PM To: Exchange Discussions Subject: RE: NT to AD Backout Problem My gut feel is that you'd have better luck promoting one of the BDCs to PDC for backout. -----Original Message----- From: Martin, Jon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 10:48 AM To: Exchange Discussions Subject: NT to AD Backout Problem More of an NT/AD than an Exchange issue, but we're only going to AD to get to Exchange 2000, so here goes: As part of planning our migration from our current single NT domain to a single-forest, single-domain active directory, a plan to back out this upgrade in case of unforeseen problems is being developed and tested. The upgrade plan goes something like this: - Create a new NT BDC on new hardware. - Take the production NT PDC offline prior to the AD upgrade. - Promote a new BDC to the PDC. - Upgrade the PDC to AD This is all done using the same netbios domain name in AD as we had in NT, and an internal DNS namespace name that happens to be the same as our WinNT/AD domain name. And, it works great. But, just in case it does not go as well in the real world as it does in our lab, we have the following as a backout plan: - Take the new AD DC(s) offline - Put the old PDC online. - Re-sync the NT domain So far, so good. It all works great - everyone can log back on to the old NT domain and keep going while I figure out what went wrong. Well there is one exception: Windows 2000 workstations and member servers cannot log on - they get a 'Broken trust relationship with the domain controller' message at log on. Win9x and NT boxes have no problem. Any ideas?? Much thanks for any assist. Jon Martin Systems Programmer East Bay Municipal Utility District (EBMUD) Oakland, CA _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
