Moving member Win 2003 and 2000 servers to new Win 2003 AD domain

Discussion in 'Windows Server' started by Mike Bannister, Feb 6, 2007.

  1. I need to move a couple of Windows 2003 servers from one domain to another
    domain. Ther servers to be moved are just member servers not domain
    controllers and the old and new domains have no existing relationship. In
    essence remove from existing domain and join newly established domain.

    No users or other objects are involved as new accounts will be established
    in the domain the servers are being moved to. The only issue that I can see
    upfront is the file permissions and ownership of these files as they will no
    longer be mapped to users accounts in the "old" domain?

    Is there a documented procedure for doing this type of move? Are there any
    major gotchas to watch out for?

    Mike Bannister
    Mike Bannister, Feb 6, 2007
    1. Advertisements

  2. Mike Bannister

    Herb Martin Guest

    Other than those permissions/ownership you mention above, or specific
    running othose machines which are "domain dependent" or otherwise use
    domain IDs then there isn't.

    SubInACL.exe will help with the permission ownership issue.

    What runs on these servers? What do they actually DO?
    Herb Martin, Feb 6, 2007
    1. Advertisements

  3. One of the servers is running a database and print services and the other has
    just got some file shares and the users home directories. Really pretty basic.

    The organization that houses the "new" domain is severing ties with the
    organization that supports and maintains parent domain(political squabble
    between gov agencies). So the level of cooperation is less than optimal.

    Is it possible to move the accounts to the new domain? If so does it make
    sense to move the user accounts?
    Mike Bannister, Feb 6, 2007
  4. Mike Bannister

    Herb Martin Guest

    Does the database use "integrated" security, i.e., Windows accounts?

    Will the users be moving with the Server? (How will they get to their
    home directory files?)

    Move? Not really. Migrate? Yes. You can use ADMT to migrate the
    accounts and include SID History so they will still have access to the
    current files, but you are moving the servers too so maybe it will be easier
    to just reset all the permissions on the files to the "new" users.

    Tedious but possible.

    SubInAcl.exe might help if you have a list of old to new SIDs so you could
    substitute them.
    Herb Martin, Feb 6, 2007
  5. The database has no AD ties what so ever. It is a 4D (Mac db ported to Win).
    Yes the users are moving to the new AD domain.
    Mike Bannister, Feb 6, 2007
  6. Mike Bannister

    Herb Martin Guest

    Then your only (significant*) issues are the permissions that reflect the
    "old SIDs"
    and these either need to be maintained or replaced after the move.

    Of course, watch out for clients in the old domain who are using this server
    should stop doing so (hard coded DNS or WINS settings would be the most
    Herb Martin, Feb 6, 2007
  7. Herb-

    Here is my plan please feel free to critique, add to or subtract from it:

    1. Make sure there is a local account on servers with admin priviliges
    2. Disconnect from network and domain
    3. Move servers to "new" network and join to "new" domain
    4. Establish new user accounts (only approximately 15 users)
    5. Re-map files and shares to new user accounts
    6. Re-establish print services in "new" domain
    Mike Bannister, Feb 6, 2007
  8. Mike Bannister

    Herb Martin Guest

    You omitted correct permissions and perhaps ownership on the files
    and permissions on the file shares and printers.

    Your users will be "new" and so their old permissions, even ownership
    will be worthless.
    Herb Martin, Feb 6, 2007
  9. Mike Bannister

    Ken Aldrich Guest

    Yeah, the ACLs on your File System Objects are going to have a lot of
    unresolved SIDs. The owner will probably be unresolved as well.

    If you're not taking advantage of ADMT and SIDhistory (which requires a
    trust, etc), then you're going to have to manually recreate file
    permissions. For 15 users in a simple network it might not be a big deal.

    There are tools out there to document the file system permissions and clean
    up the invalid SIDs on the File System Objects once you are in your new
    environment. Some are more difficult than others. I recommend DSRAZOR for:
    1) reporting file system permissions in your old domain
    2) reporting file system permissions in the new domain to make sure things
    are set up as intended
    3) cleaning up the invalid SIDs in your File System Objects.

    DSRAZOR can handle all three of these things without any scripting. The
    canned applets will do these for you.
    If you'd like a demonstration check out
    Ken Aldrich, Feb 6, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.