So you want to in-place upgrade your current NT4 domain to an AD domain and keep the same NetBIOS domain name. This is AN EXAMPLE how to do it. Make sure you change anything that is specific to your environment and check everything has been taken into account! This example procedure is NOT complete for each environment.

The steps to accomplish this are:

  • Introducing two additional NT4 BDCs (fresh installed - desktops will be OK)
  • Introduce two fresh installed W2K3 member servers to the domain and install and configure DNS (with DNS zones and DDNS), WINS (and DHCP if needed) on it (these will be promoted to DC later on)
  • Configure the NT4Emulator and NeutralizeNT4Emulator registry keys on the w2k3 member servers. Reboot the server (see: http://www.petri.co.il/first_dc_in_domain_problem.htm & http://support.microsoft.com/?kbid=284937)
  • Point all servers the new DNS/WINS servers in their TCP/IP settings
  • Promote on the fresh installed NT4 BDCs to a PDC and sync the domain
  • Configure the NT4Emulator and NeutralizeNT4Emulator registry keys on the new NT4 PDC. Reboot the server (see: http://www.petri.co.il/first_dc_in_domain_problem.htm & http://support.microsoft.com/?kbid=284937)
  • Shutdown the other fresh installed NT4 BDC and keep that as a safe measure
  • Upgrade the new NT4 PDC to a W2K3 DC and choose during the AD install for Forest functional level Windows Server 2003 Interim
  • Promote both w2k3 member servers to DCs and after that make both DCs a GC
  • Transfer the FSMO roles from the upgraded w2k3 DC to one of the fresh installed W2K3 servers (now DCs)
  • Configure the DNS zones to be AD integrated and configure secure DDNS
  • Demote the upgraded w2k3 DC to a member server and remove from the domain
  • If everything is OK remove the NT4 BDCs from the domain and cleanup computer accounts
  • If everything is OK remove the NT4Emulator and NeutralizeNT4Emulator registry keys from the fresh installed w2k3 servers (now DCs). Reboot the servers one by one. If you have w2k/wxp/w2k3 clients and/or servers these will start using kerberos authentication as soon as these the w2k3 DCs. These clients/servers were not able to see them because the w2k3 DCs were emulating NT4 DC behavior to prevent upgrading the secure channel to kerberos and stay with NTLM. If you would not have done this and you wanted to revert back to the NT4 DCs and thus removing the W2K3 DCs, you needed to re-add each w2k/wxp/w2k3 clients and/or servers to the domain
  • If everything is OK increase the domain and forest functional level to windows server 2003

REMARK: the use of the NT4Emulator registry on the DCs also prevents W2K/WXP/W2K3 clients/servers to apply GPOs (the AD domain really behaves like an NT4 domain!). That key is just a safe measure so the first W2K3 DC is not overloaded. The other safe measure is to first test everything using NTLM authentication and then switch to Kerberos by removing the keys (NT4Emulator and NeutralizeNT4Emulator) from the DCs

There is more to it then this, so make sure you look at:

If you also have exchange, you need to take care of that to!

Good luck!

Jorge

--------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------