Jump to content

Server 2000>2003 Migration HELP!


TimHi

Recommended Posts

Hi. I am in a bit of a bind. We are migrating our Server 2000-based domain to Server 2003. This will involve a domain name change and DNS/DHCP restructuring. I've been reading a lot about forests and trees and that's where my question lies.

Should I put my new 2003 PDC in a new forest, or make new tree in the existing forest? I am kind of looking for common practice I guess. I am renaming the domain with new hardware, so I am leaning toward creating a new forest. That way I wouldn't have to transfer any operations roles and I can start fresh with a new PDC. Then after the migration, I would scrap the original forest and take the old stuff offline. Downside is I would have to configure a new schema.

This is a pretty simple domain: no trusts, no GP, only a couple administrative groups. Just Exchange, Blackberry Enterprise, and lots of accounts. Is remaking the schema a big deal?

The other downside of starting a new forest is I can't setup a forest-to-forest trust using 2000 Server. I sort of want to keep the old domain up while I migrate accounts over for disaster recovery so people can log into either domain.

So it's either make a new tree: keep the existing schema, transfer roles, maintain an online backup during cutover. OR make a new forest: start fresh, new shema, higher risk, original forest dies.

Anyone have any advice? :wacko:

Thanks...

Edited by TimHi
Link to comment
Share on other sites


Honestly, if you're doing a domain rename as part of the process, I'd go with the new forest route. You can do a domain rename once you migrate all of your 2000 machines off and move to a 2003 native AD schema structure, but that can leave interesting artifacts behind that may (or may not) cause issues in the future.

Migrating to a new forest keeps things like that from happening, although you'll need another Exchange/BlackBerry installation, and migrating the mailboxes will be (slightly) more difficult than an in-place domain upgrade. However, long term, I think a new forest migration is worth it.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks for the reply cluberti. I went with the forest route. Got AD and DNS configured so I can ping from both sides and I created an account and logged in from a workstation in the building. I'm having a problem getting my trust in however. When I try to verify the external two-way trust it says that it cannot contact the target domain controller.

I read that it uses netbios to resolve for trusts so I installed WINS server in the test domain (current domain already has it). I set up replication partners on both servers, but when I try to replicate it says gives the following:

event 4102 "The connection was aborted by the remote WINS. Remote WINS may not be configured to replicate with the server."

and event 5721 "The session setup to the Windows NT or Windows 2000 Domain Controller \\*host*.*domain*.org for the domain *domain* failed because the Domain Controller did not have an account *test*.org. needed to set up the session by this computer *testhost*.

ADDITIONAL DATA

If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.

So it ties back to the same reason the trust wasn't working. Any ideas?

Thanks.

Link to comment
Share on other sites

dcdiag /v reported no failures on both domains. This event popped up on both domains when I tried to put the trust in:

Event 5723: The session setup from the computer <computer name> failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is <computer name>$.

So each can tell that the other computer is trying to make a trust, it just can't authenticate.

Does the pdc from each domain need to have a computer account in AD users and Computers for trusts to work?

Thanks.

Link to comment
Share on other sites

Would you mine taking a peek at my DNS? I probably have this setup totally wrong...

DomainA = current domain (2000) (2 dns servers)

DomainB = new domain (2003) (1 dns server)

DomainA DNS: has 2 AD-integrated forward lookup zones

AD-integrated lookup zones for DomainA.com:

Zone1: domainA.com

SOA=DC.domainA.com

Name servers=dc.domainA.com, dc-backup.domainA.com, dc.domainB.com

Created a host record in this domain to point to the IP of the domainB DC. Is that right?

Zone2: domainB.com

SOA=DC.domainB.com

Name servers=dc.domainB.com, dc.domainA.com

Forwarder pointing to DC.domainB.com

I am to understand that the second lookup zone for domainB is so they can talk.

AD-integrated lookup zones for DomainB.com:

Zone1: domainB.com

SOA: dc.domainB.com

Name servers=dc.domainB.com, dc.domainA.com

Conditional Forwarder pointing to DC.domainA.com

domainB.com also has a _msdcs zone because DCPROMO installed DNS automatically. Do I need to do anything with it??

I even created a root hint in both domains to point to each other.

DomainA cannot ping domainB.com, but it can ping dc.domainB.com

DomainB CAN ping domainA.com as well as dc.domainA.com and dc-backup.domainA.com

Plus, all of my references to DomainA from domainB are to the DC housing the DNS, not the PDC. Should that change?

When I try to create the trust I get:

The secure channel (SC) verification on domain controller \\dc.domainB.com of domain domainB.com to domain domainA.com failed with error: The security database on the server does not have a computer account for this workstation trust relationship.

The secure channel (SC) verification on domain controller \\DC-backup.domainA.com of domain domainA.org to domain domainB.com failed with error: The specified domain either does not exist or could not be contacted.

Any advice you could give would really help at this point. This is a test box but I am pulling my hair out!!

Thanks,

Edited by TimHi
Link to comment
Share on other sites

The trust is fixed.

In case anyone else was interested: many people use conditional forwarders to set up trusts, which work fine, but only if both machines are 2003. 2000 machines cannot do conditional forwarders, so I set up a secondary zone. Apparently forwarders and zones don't play well together. Creating a secondary zone for DomainB in DomainA and ice versa solved the problem.

Is it possible to log onto Exchange from a different domain? I am moving all users to domainB and keeping Exchange in domainA (that was the whole purpose of the trust). Anyone have any advice on what I need to do next?

Thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...