Merging to different Forests and Domains...

Discussion in 'Active Directory' started by dave.mudgett, Mar 1, 2006.

  1. dave.mudgett

    dave.mudgett Guest

    I have a general question on procedures...

    I have two different forests, abc.com and def.com. The have a trust between
    them, but the time has come to colapse def.com and migrate it into def.com.
    I was wondering if someone could point me in the right direction. I know
    about the ADMT Utility, but was wondering what kind of affect it would have
    on my file server, print server and any workstation that is a member of the
    domain.

    Thanks in advance for any help.
     
    dave.mudgett, Mar 1, 2006
    #1
    1. Advertisements

  2. dave.mudgett

    john Guest

    If you migrate SID history as well as user accounts, and remove file, print
    server from the old domain, add them as member server to the new domain;
    users will access resources as before. You do not have anything to do on file
    and print shares. Because, SID history is migrated and resources are being
    accessed by checking SID numbers.

    For the workstations, you need to copy profiles to their new domain profile
    location.
     
    john, Mar 1, 2006
    #2
    1. Advertisements

  3. dave.mudgett

    dave.mudgett Guest

    thanks

     
    dave.mudgett, Mar 1, 2006
    #3
  4. Migration high level steps are:
    * Make sure the AD has been configured (sites, subnets, replication, OUs,
    GPOs, delegations, DNS, WINS, DHCP, etc.)
    * Setup name resolution (WINS or DNS) between source and target
    domain/forest
    * Setup trusts (if an external trust is configured and sidhistory is used,
    disable sid filtering)
    * Install and configure migration tooling
    * Migrate groups, user accounts with passwords and group memberships (with
    sidhistory)
    * Migrate clients from the source domain to the target domain, translate
    security on the client, and translate profiles (at this moment users start
    logging on with their new AD account on the migrated clients that have been
    migrated previously to the w2k3 domain)
    * Migrate mailboxes if needed
    * Migrate servers to the new domain or migrate data to new servers
    * Translate security (Re-ACL) of the data/resources from source security
    principals to target security principals (replace the security descriptors
    from the old domain with the security descriptors from the new domain )
    * Cleanup temporary configurations
    * Cleanup sidhistory (recommended!). sIDHistory is used to access resources
    while those resources still have security descriptors from the old domain.
    As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed
    sIDHistory can be cleaned. Sidhistory should only be used temporary for
    migration purposes!
    * Remove trusts
    * Decommission old domain(s)

    For more info on migrating to an AD domain also see:
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx

    ADMTv3 has been out for a while, so be sure to use that version.
    (http://www.microsoft.com/downloads/...7B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)

    SID filtering is ALWAYS configured on the outgoing part of a trust! (not
    saying now if it is disabled or not!!!)
    On the outgoing trust (source --> target) sidfiltering is enabled by default
    if the trusts was created on a W2KSP4 DC or higher (it is disabled by
    default if the trust was created on a W2KSP3 DC or earlier(and thus NT4
    also!). This TRUE for external trusts, but not for forest trusts (only
    possible between W2K3 forests with both Forest functional level Windows
    Server 2003) (what the document says about forest trust and SID filtering
    being enabled is WRONG!)
    For more info see:
    http://www.microsoft.com/technet/pr...elp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx


    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
     
    Jorge de Almeida Pinto [MVP], Mar 1, 2006
    #4
  5. dave.mudgett

    Mitch Guest

    Dave

    Do not remove the file and print server use ADMT to migrate it then clean up
    the security with the ADMT tool it really works. If you read through the
    ADMT utility help files it explains it all pretty well.
     
    Mitch, Mar 2, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.