You cannot just build a Windows 2003 server, make it a member of the NT 4.0 domain, promote it to a domain controller and expect it to take over for the NT 4.0 network. It does not come even close to working that way. The reality is that you have one of these two choices:
Build a new Windows Server 2003 domain, create a trust to the old network and use the Active Directory migration tool to import accounts (including adding the users previous SID to its history). This creates an entirely new domain, a great method to clear up past mistakes.
Take a current NT 4.0 domain controller, promote it to a PDC and then perform an upgrade to Windows Server 2003. This keeps your entire domain and its structure in tact, this is a great method to ensure little to no security and migration issues.
This article will be focusing on option #2.
Before you get in a rush and upgrade one of your NT 4.0 DCs that just happens to be lying around, I recommend that you go a step further and build a temporary upgrade server instead of using an existing domain controller. That way, if the upgrade fails, you can always fall back to your original network configuration. Without using an upgrade server you would be delegating VERY important server roles to a machine that was and NT 4.0 upgrade; eww!
Finding an upgrade box might be a problem if you try this on brand new equipment, it could be difficult to find NT 4.0 drivers for the brand new hardware. So I recommend that you find a slightly older box that meets Windows Server 2003 minimum requirements and also has NT 4.0 drivers available.
Building the Upgrade Server
First install the upgrade box with NT 4.0 Server and make it a BDC on the domain. Make it easy on yourself; just use an IDE drive so you can use drivers that come standard with NT 4.0 and Windows Server 2003. Also use a VERY popular network card, I recommend a 3COM 90X series. Also assign it a static IP address. You MUST use the TCP/IP network protocol for Windows Active Directory Domains; that means no NetBEUI or IPX/SPX!
Preparing for the Upgrade to Windows Server 2003
Before you upgrade, you must get your NT 4.0 upgrade box up to date. Make sure it has NT 4.0 SP6a, IE 6.0 and all the updates (just use windows update). Promote it to the PDC using Server Manager, doing this will demote your current PDC to a BDC. Then, just let it ride on the domain for at least 15 minutes to ensure replication is working properly.
Now that you have promoted the upgrade server to a PDC, we can take it offline and upgrade.
Upgrading the Windows Server 2003
Take the upgrade server off the network (the network card will still need to be active though so plug it into a hub all by itself). Keep your other NT 4.0 domain controller(s) on the network. For now your network will be running without a PDC. This keeps your network intact so you can easily fall back to the original configuration. If the upgrade server dies, you can always promote one of your BDCs, rebuild another NT 4.0 upgrade server and try again. While your network operates with only BDCs, your clients will only have read only access to the authentication mechanism on your domain. So that means you cannot create new accounts or change passwords.
Insert the Windows Server 2003 CD into your upgrade server and run setup. This is all very basic. If you are worried that the hardware on your upgrade server is not Windows Server 2003 compatible, run the compatibility wizard. It is an option that pops up when you insert the CD.
The upgrade should go very smooth. After a few reboots you will be running Windows Server 2003 before you know it. Since it is the first domain on the network it will warn you of a needed DNS server (this is required for all Active Directory domains). So just allow the setup program to install DNS on the upgrade server.
When the upgrade is done you should have a Windows Server 2003 Domain Controller (it also has the roles of PDC emulator and DNS server). Now put the server back on the network. The NT 4.0 BDCs will now see the PDC emulator on the upgrade box and replicate domain changes from it. The BDCs by the way have no clue that they are now members of a 2003 Active Directory Domain.
Clue #0: From this point your domain is running in Mixed mode. Some features of Active Driectory will not be available until you get all your NT 4.0 BDCs permanenty removed from the network. More will be mentioned at the end of the article.
Bringing your permanent Domain Controllers online
Now we can work on your other Windows Server 2003 boxes that you have slated to be DCs.
First change their TCP/IP configuration so that they are using the upgrade server as their one and only DNS server and assign them with static IP addresses.
Now go into ‘Active Directory Sites and Services’ and make your permanent servers a ‘Global Catalog Server’. At least on GGlobal Catalog Server is required at every site on a domain. Doing this will give you multiple Global Catalogs (your permanent servers) for redundancy.
Clue #1: As the number of your servers grows, you can move the role of Global Catalog to your faster or less busy servers. It is a good idea to make sure that you have at least 1 GC in each site throughout your domain..
As soon as you have your Active Directory Domain established with your permanent servers we can focus on phasing out the upgrade server.
Clue #2: I recommend that you monitor your event logs of all your DCs as you add DC roles on your permanent servers and begin phasing out your upgrade server.
Removing the Upgrade Server
Since the upgrade server was the first domain controller on your 2003 Active Directory domain it has ALL the roles for your domain (including DNS). We need to move those to the other DCs.
First let’s focus on DNS
DNS is integral for Active Directory Domains. So we need to install DNS on another server and ensure that the DNS data is replicating properly.
First install DNS on one of your permanent servers. Do this by choosing the ‘Configure your server’ option when you click ‘start’.
After you get DNS installed open the DNS configuration tool, and add your upgrade server so that you can administrate both servers at the same time.
On your upgrade server, make sure that the domains listed (in both the forward and reverse domains) are set as Active Directory Integrated Primary domains. After this is completed, you can then add these domains to your other permanent DNS server and make it Active Directory Integrated as well. Since it is using Active Directory to replicate the DNS data, it may take up to 15 minutes for the new domain data to show up on your permanent DNS server(s). Do not continue until you are sure this is working properly.
After DNS is replicating properly, change the DNS TCP/IP settings on your permanent server(s) to use itself for primary DNS (and a neighbor for secondary) for DNS resolution.
You can repeat these steps to install DNS on your other permanent Active Directory Domain Controllers.
Now change the DNS TCP/IP settings on the Upgrade server so that it uses your permanent servers. Then remove DNS from the upgrade server
Removing the Domain Controller Roles from your Upgrade Server
Now that DNS is on the permanent servers, and your Upgrade server uses the Permanent Servers for DNS you can run DCPromo on the Upgrade server to demote it to a stand alone server.
Clue #3: You MUST demote your upgrade server before you remove it from your network. If you do not demote the upgrade server, your domain will begin to function improperly and you could cause serious damage if you format the upgrade box before repeating this last step.
When you run DCPromo to demote your Upgrade server, it first makes sure all data is replicated to the other DCs, and then it starts offloading its DC roles to the other servers. These roles include RID generation, PDC emulator, Infrastructure server, and Global Catalog (recall that we already put the GC role on the permanent servers BTW).
After your Upgrade server has been successfully demoted, reboot the server.
Finally you can go into its network identification properties and remove it from the domain and into a workgroup. After this step you can physically remove the upgrade server from the network permanently.
Cleaning Up Your Network
Before you can convert your Active Directory from mixed-mode to Native Mode (PURE Windows Server 2003 DCs) you must remove all NT 4.0 BDCs. This is something you should make a priority. There are several Active Directory features that are disabled as long as you are in mixed-mode. These features include Universal Groups & Remote Access Policies (for VPN and dial-up).