[THIN] Re: AD
- From: "Durbin, Jeff" <jdurbin@xxxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 3 Sep 2003 13:30:02 -0700
Another thing to consider is that if you migrate your user profiles,
they're already tattooed with NT4 policy settings, which may conflict
with a value that you then try to set using a GPO. For example, if you
have a user who got the setting to 'not allow registry editing' from an
NT4 policy, then you migrate the user & profile to AD, create a GPO that
*allows* the user to edit the registry, the user may end up with a
registry that has two settings that conflict. This is because the
locations for policy settings have changed from NT4 to AD. I'm not sure
what happens when you have this conflict, but if you plan to create new
GPO's and migrate NT4 profiles, you'll want to test it so you know what
you're dealing with.
-----Original Message-----
From: Keith Duckworth [mailto:KDuckworth@xxxxxxxxxxxxxxx]
Sent: Wednesday, September 03, 2003 1:00 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: AD
I agree with Jeff: the best thing is to rebuild your GPO's.
Best thing to do is to build your GPO's where you know they are
going, what they are doing. In that way, you can have a tight control
and understanding where everything is, and what is happening behind the
scenes.
If you let the ADMT or the GPOLMIG to do your work, you are
pretty much at the mercy of Microsoft to decide how everything is going
to go.
It may take longer to do your GPO's, but in the long run you
will save yourself MANY headaches and frustrations. Plus, you wont hear
as many complaints from your end-users.
Keith
-----Original Message-----
From: Durbin, Jeff [mailto:jdurbin@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 03, 2003 2:44 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: AD
I just did a migration of a customer's domain from NT
to AD using the Domain Restructure method, in which a new domain is
built and objects (users, groups, computers) are moved over gradually. I
would avoid this situation if possible, and use the Domain Upgrade
method, which is far easier. If you're doing Domain Restructure, you'll
have to use a tool, like the ADMT, to translate NTFS security to groups
in the new domain, which can be a problem if the NTFS permissions aren't
configured to allow Domain Admins full control.
Another issue you'll deal with is migrating your NT4
System Policy (which, hopefully, you are using) to Group Policy. There
is a ResKit utility (GPOLMIG.EXE) that will do it, but be aware that
you'll then be using NT4 settings in AD, which will tattoo user
registries (whereas GPO's don't tattoo). A better, but potentially more
time-consuming option, is to rebuild your policies from scratch as
GPO's.
You may want to discard my opinion though - I work for
a Systems Integrator (a reseller)!!!! :)
Jeff Durbin
-----Original Message-----
From: Schneider, Chad M.
[mailto:CMSchneider@xxxxxxxxx]
Sent: Wednesday, September 03, 2003 10:19 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] AD
How bad is it, taking WIN2K servers, in an NT 4
domain, and adding them to AD?
We are prepping for AD, and I want a Citrix user
opinion, not what a reseller tells me.
Chad Schneider
Technology Analyst
Bemis IT
920-303-7609
Other related posts:
