October 16, 2007 at 9:42 am
I recently migrated an NT4 domain to a new Win 2003 AD domain, and moved my SQL Server 2000 machine (Win 2K Server) into the AD domain as a member server (not a DC). I did the following sequence of steps:
1. Set up the Win 2003 AD domain
2. Set up 2-way trust between AD and NT domains
3. Migrated the NT users & groups with SID histories via ADMT
4. Joined all the client workstations and migrated user profiles
5. Created the SQL Server (2000) logins for the AD domain, with renamed users, but the same role memberships and database access as their NT domain counterparts
6. Joined the SQL Server machine to the AD domain as a member server. (It was also a simple member server in the NT domain.)
7. Broke the trust & turned off the NT PDC.
Throughout each step of the migration, all users have had normal access to all network resources including SQL Server databases. At this point, the network looks like:
- Win 2003 DC/File Server
- Win 2000 SQL Server/Print Server (NOT a DC)
- 50 client workstations
Now I have duplicate logins in SQL Server (one from NT domain, one from AD domain) for each user. sp_who and Enterprise Manager Current Activity report AD\LoginName is in use for any given user, but if I try to deny access to the NT\LoginName, the user can't connect to SQL Server. I want to get rid of these NT domain logins but I'm not sure how to, given this problem. I suspect the SID histories, but I'm not that knowledgeable about them. Any ideas?
Thanks.
Georgiann Sanborn
October 16, 2007 at 3:02 pm
Likely it is the SIDs. Try this: pick one particular login that you know has few ties to databases. Run an sp_revokelogin against the NT4 domain login. Check to see if the AD domain login was affected.
K. Brian Kelley
@kbriankelley
Viewing 2 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply