Re: ** Please Advise ** NT4 -> 2003 Upgrade Plan !!
From: SG (ab_at_cd.com)
Date: 01/17/05
- Next message: Phillip Renouf: "Re: Windows 2003 DC and more than 4GB RAM"
- Previous message: Marsha: "Machine role is domain controller"
- In reply to: Brian Desmond [MVP]: "Re: ** Please Advise ** NT4 -> 2003 Upgrade Plan !!"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 17 Jan 2005 15:08:18 -0500
Thanks for the response.
I have followed the plan outlined in my previous post and all appears to be
working fine. I realize not having the dns structure fully installed could
lead to potential problems, but I have the 2003 DC's running in emulation
and the NT4 BDC's are properly being updated by the PDC emulator, i.e
account changes and such. I am under the impression that running the
NT4Emulator keys on the DC's keep all clients in the dark about using 2003
DC's? I can logon just fine in the remote office (via VNC/RDP) with any
valid user account with no delays. I am still running WINS and replicating
as before (HUB-SPOKE) and all servers in all offices are accessible via
browsing the network from any location on the WAN. Why would dns be a
problem in the remote offices if nothing changed in respect to the local BDC
and they can successfully authenticate? My plan is to upgrade each office DC
to 2003 with emulation keys and implement dns during each upgrade process to
that remote office. When all of the offices have a local 2003 DC / AD DNS
implementation, I was going to remove the keys to start implementing AD
functionality, i.e. GPO,etc. Many users travel to the main office, so if I
didn't use the emulation keys on the new 2003 DC's and they login while at
the main office, their machine would be updated to the new domain name. I
didn't want the user to have problems when logging on the the network when
back in their "remote" office since there will be no 2003 DC and no AD dns
locally. Is this correct thinking or am I missing something? I don't want
remote clients to authenticate accross the WAN if I can help it.
Do you think it will be ok to put in the neutralize key for the 2000/xp
clients that are local to the 2003 DC's and will never be logging into the
network from a remote office?
Also, I am getting a lot of ANONYMOUS LOGON entries in the security log on
the 2003 DC and was wondering if you or anyone can shed some light on this:
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x9A815)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TAYLOR
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.239
Source Port: 0
Can I atleast NTLMv2 on the domain and refuse LM/NTLM? Will the NT4 BDC's
function correctly? They are up to SP6a.
Thanks for all the help.
SG
"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:uVBERV4#EHA.2156@TK2MSFTNGP10.phx.gbl...
> Hi there,
>
> As far as the error you're receiving, this is expected behavior. The
> computer has changed its machine account password on its schedule
(ususally
> every 30 days), and now it has a different password than when it was in
the
> NT4 domain.
>
> I've answered the rest of your points inline below.
>
> --
> --Brian Desmond
> Windows Server MVP
> desmondb@payton.cps.k12.il.us
>
> www.briandesmond.com
>
> > 1) Install new nt4 BDC and promote to PDC. Synchronize domain and remove
> > former PDC (now BDC).
> > 2) Upgrade to 2003 AD on current PDC.
> > 3) Install fresh 2003 Server on a brand new pc and join domain. Run
> > dcpromo
> > to make as DC. Enable as Global Catalog. Force Synchronize both DC's.
> > 4) Run dcpromo on first DC (pc upgraded in step 2) to demote and force
all
> > roles to newly installed 2003 machine in step 3.
> > 5) Install fresh 2003 Server on another new pc and join domain. Run
> > dcpromo
> > to make as DC. Enable as Global Catalog.
> > 6) Remove Global Catalog from pc in step 3 since it will be the
> > infrastructure master.
>
> If this is a single domain environment, you do not need to do item 6, just
> mark all your DCs GCs. This is only relevant in a multidomain environment.
>
> >
> > Result: 2 freshly installed 2003 DC's with all user and computer
accounts
> > intact.
> >
> > My questions are:
> > 1) Is there anything wrong or missing with this plan?
> >
> > 2) Should I use the NT4Emulator registry entry on all pc's that are
going
> > to
> > be 2003 DC's for purpose of fallback plan? If so, when is it ok to
remove
> > the setting to force clients to append the domain suffix? I need the
> > fallback plan to work in case it is called upon. It's useless to remove
a
> > BDC for a fallback plan just to have all client pc's to not work or have
> > invalid computer accounts when used with the old NT4 domain, per my
> > experience in first paragraph.
>
> The NT4Emulator reg key is not a fall back option. It is to prevent all
your
> 2k/XP/2003 clients from immediately swamping the new DC. See this KB for
> more info http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284937.
>
> >
> > 3) What will remote office users/computers experience when they log onto
> > network after upgrading domain to 2003 AD? Their local DC will still be
a
> > NT4 BDC for some time. Will they authenticate successfully to their
local
> > BDC or will they go accross the WAN link to authenticate with the new
2003
> > DC's, even though they will NOT be using AD dns servers? The AD dns
> > structure will expand to remote offices as each office BDC is upgraded
to
> > 2003. In other words, the remote office clients will still use their
> > current
> > dns server entries and not point to the new dns servers in AD. WINS will
> > still be used on network to resolve server names. Only the local clients
> > to
> > the new 2003 DC's will use the new AD dns servers.
>
> My experience is that sometimes the clients need a reboot after the
upgrade.
> Not always, though. Without the NT4Emulator, the PCs will go across the
WAN
> to a 2003 DC. Your clients need access to the AD DNS infrastructure
whether
> they'll be talking to a BDC or not. You need to fix this right away. 2k+
> clients will need to locate the PDC emulator, global catalogs, site
> information, etc.
>
> >
> > 4) If using NT4 Emulation on DC's, will Pro and XP clients local to the
> > 2003
> > DC's still process group policies? Remote office XP/Pro clients will NOT
> > process group policies regardless of NT4 Emulation since they don't know
> > about the AD dns servers, correct?
>
> GP will not be processed unless there is a NeutralizeNT4Emulator reg key
on
> teh client. See above about DNS, you can't do what you're planning as far
as
> skipping the DNS goes.
>
> >
> > Thanks in advance for any response, tips, assistance with this post.
> >
> > SG
> >
> >
>
>
- Next message: Phillip Renouf: "Re: Windows 2003 DC and more than 4GB RAM"
- Previous message: Marsha: "Machine role is domain controller"
- In reply to: Brian Desmond [MVP]: "Re: ** Please Advise ** NT4 -> 2003 Upgrade Plan !!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
