Active directory Migration
slinuxuzer
Member Posts: 665 ■■■■□□□□□□
My company is planning on migrating our domain from a previous 2k domain dfl is 2000 mixed, to a new 2003 domain, (this will be a child domain of another of our business units).
The main motivation for switching is that we will be in our own domain, and thus have more control over things, the 2000 domain was put in 2 years ago to upgrade nt 4.0. I am going to be the one doing this, so I know that to retain sid history I will have to raise the Dfl to 2000 native, then create the new 2k3 domain and create an external trust and use the admt to migrate users, groups and computers.
Two things I am unsure of, our file servers that have extensive Acl's setup for the old domain, do the groups retain sid history? and once the file servers are joined to the new domain, should the migrated groups and accounts still have acess to these servers?
Also, is there anyway to migrate user profiles than visting each users computer?
There are a hundred plus groups, computer and user accounts that we are dealing with here, no Gpo's in the 2k domain and no OU structure to speak of.
The main motivation for switching is that we will be in our own domain, and thus have more control over things, the 2000 domain was put in 2 years ago to upgrade nt 4.0. I am going to be the one doing this, so I know that to retain sid history I will have to raise the Dfl to 2000 native, then create the new 2k3 domain and create an external trust and use the admt to migrate users, groups and computers.
Two things I am unsure of, our file servers that have extensive Acl's setup for the old domain, do the groups retain sid history? and once the file servers are joined to the new domain, should the migrated groups and accounts still have acess to these servers?
Also, is there anyway to migrate user profiles than visting each users computer?
There are a hundred plus groups, computer and user accounts that we are dealing with here, no Gpo's in the 2k domain and no OU structure to speak of.
Comments
-
royal Member Posts: 3,352 ■■■■□□□□□□ADMT will migrate user profiles. The file server's ACLs are based on SIDs, so when you migrate SID History, access will still be there.
http://www.microsoft.com/downloads/details.aspx?FamilyID=d99ef770-3bbb-4b9e-a8bc-01e9f7ef7342&DisplayLang=en
Quest's Quest Migration Manager (QMM) for Active Directory is really good at re-ACL'ing everything including services such as SQL. It will keep everything between the two directory's in sync and allows you to revert back.
There's also a QMM for Exchange if you plan on migrating over Exchange as well. The documentation for QMM integrates both AD and Exchange so you know how to do both in parallel. What's nice about QMM for Exchange, is when you migrate a user, it'll create a contact in the old domain with the e-mail address of the migrated mailbox for co-existence while leaving that user in the GAL.
Quest will also migrate over user's profiles. I would recommend reading that ADMT guide before you even try to migrate. If you're interested in Quest (it's expensive), let me know and I'll login to the partner site and get some of the documentation for you to look at.“For success, attitude is equally as important as ability.” - Harry F. Banks -
slinuxuzer Member Posts: 665 ■■■■□□□□□□Thanks, royal am planning on doing extensive research and testing on vmware first, did some of this already in global knowledge class, once I have run a few tests with admt I will know if it will do what we need, thanks for your response.
-
royal Member Posts: 3,352 ■■■■□□□□□□No problem. In any case if the user's profiles aren't migrated over properly, instead of doing the whole login to local admin and copy local profile over to their new domain profile, you can use a tool called ForensIT Profile Migrator. I've used the tool before and is amazing! If you buy the corporate edition ($2/seat) they'll give you vbscript modification functionality to it. Other than that, you can run the gui tool in each machine and scan for local profiles, choose the domain account, and migrate. It won't copy data, but rather assigns ACL permission on the local profile folder for the domain account to get access, and then modify registry so the domain account will use the older profile. So it's as if nothing ever changed for the user.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
slinuxuzer Member Posts: 665 ■■■■□□□□□□Royal, the forensIT profile manager, does this come with quest? or does quest have its own solution for this?
We have about sixty workstations or so and a few file servers, and are doing a forest to forest migration from 2k to 2k3 and after looking at the migration tool, it appears to be a pain to get it to work correctly with 2k to 2k3.
Does quest do a good job at migrating computers?
Is migration manger the tool I would need to purchase and can you give me any idea what the cost might be? Or point me to some more info?
Thanks -
royal Member Posts: 3,352 ■■■■□□□□□□Forensit profile migrator is a seperate utility. Quest's tools have its' own profile migrator built in.
Quest is the best tool out there for migrating. It's the premier migrating utility at a hefty cost.
I would contact Quest about costs. They base migration costs off the number of objects being migrated so it costs less for smaller shops and much more for enterprises that have much more to move.“For success, attitude is equally as important as ability.” - Harry F. Banks