How do I migrate the file resources on a 'Microsoft Windows NT 4 BDC' or 'PDC' to a new server in th (NETIQKB4162)

  • 7704162
  • 02-Feb-2007
  • 08-Sep-2008


How do I migrate the file resources on a 'Microsoft Windows NT 4 BDC' or 'PDC' to a new server in the new domain?

Server Consolidator 2.0

Server Consolidator 7.1

Domain Migration Administrator 7.1


Domain Migration Administrator (DMA) cannot be used to migrate a Windows NT 4 domain controller to a new domain.  However, the data on an Windows NT 4 domain controller can be migrated to a new server in a the target domain.

If the target domain is in native mode, domain local groups can be used for permissions on member servers.  You can use DMA to migrate the domain local groups from the source domain to the target domain.  After migrating the local groups to the new domain, use 'Server Consolidator' to migrate the data to a new server, then use DMA to translate security on the new server. 

Another unsupported option is to migrate the Domain Local groups from the source to a local group on a Member Server by specifying \\servername as the target domain during Migrate Groups wizard. This will only work if the selected source groups are Domain Local Groups, rather than Global Groups.

The steps in either case are as follows:

  1. Use the 'Migrate Groups' wizard in DMA to migrate the NT 4 local groups to the Active Directory target, where they will be created as domain local groups.  (They will be created as standard Local Groups if the target is a Member Server rather than a domain). Note: Some built-in local groups, such as Server Operators, cannot be migrated because the SID is the same in every domain. 
  2. Groups and users that were members of the NT local group will become members of the new domain local groups in the target domain. (Or the local group on the member server if the target is a Member Server rather than a domain)
  3. Use 'Server Consolidator' to migrate the data from the source BDC or PDC to a member server that is already in the target domain.  Server Consolidator will copy the ACL's exactly as they are.  Therefore, the NTFS ACL's will have unrecognized SIDs when you check security on the migrated data.
  4. Use the 'Translate Security Settings' wizard in DMA to translate security on the member server.  This will use the mappings in the DMA database to add the corresponding AD domain local group to ACL's wherever the SID of the source local group appears.

If the target domain is not in native mode, refer to the following knowledge base article for more information:


Please refer to the following knowledge base article for information regarding maintaining local group membership with a source accounts domain and a source resource domain:

Additional Information

Formerly known as NETIQKB4162