kam_uk
asked on
Migrating to new AD forest
Hi
We are currently a multi-domain forest with Windows 2003 FL/DL with Exchange 2003. We're looking into implementing Windows 2008 DC's and one option is to just create an entirely seperate, and new, forest based on Windows 2008 R2 DC's and Exchange 2010.
We'll implement two way trusts between the two forests. Forest1 is the 2003 Forest and Forest2 will be the 2008 one.
This is very much in the initial phase so I was hoping for some feedback from the experts here :)
1. Can we implement trusts between certain domains in the 2003 and 2008 forests only (i.e. I belive they are called Domain Trusts, as opposed to the Forest trust that includes all domains)
2. Can we migrate AD accounts between two forests? What happens in relation to the SID/GUID's etc?
3. Can we migrate mailboxes between the two forests?
4. If we choose to migrate mailboxes but decide that migrating AD accounts is too complicated, is this possible?
We are currently a multi-domain forest with Windows 2003 FL/DL with Exchange 2003. We're looking into implementing Windows 2008 DC's and one option is to just create an entirely seperate, and new, forest based on Windows 2008 R2 DC's and Exchange 2010.
We'll implement two way trusts between the two forests. Forest1 is the 2003 Forest and Forest2 will be the 2008 one.
This is very much in the initial phase so I was hoping for some feedback from the experts here :)
1. Can we implement trusts between certain domains in the 2003 and 2008 forests only (i.e. I belive they are called Domain Trusts, as opposed to the Forest trust that includes all domains)
2. Can we migrate AD accounts between two forests? What happens in relation to the SID/GUID's etc?
3. Can we migrate mailboxes between the two forests?
4. If we choose to migrate mailboxes but decide that migrating AD accounts is too complicated, is this possible?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You will not be able to just simply move the accounts between the two forests via ADUC. You will need to use a tool like the ADMT or Quest Migration toolkit. I cant speak for the quest tools since ive never used them but as far as the ADMT goes it will copy over SID history when migrating accounts between forests. There is some prepwork that you need to do with the trusts to allow sid history but as long as you do this ahead of time then yes all of the permissions from domain1\user1 should be avialable to domain2\user1.
The ADMT tool will also allow you to bring over groups and computers. When using the ADMT tool to migrate computers it will perform the security translation to allow the migrated user/group accounts the same access to the machine as they had in the old domain.
The ADMT tool will also allow you to bring over groups and computers. When using the ADMT tool to migrate computers it will perform the security translation to allow the migrated user/group accounts the same access to the machine as they had in the old domain.
Some of the prep work that comes in with SIDHistory is disabling sid filtering.
One thing about Quest is if you buy their tool I think you have to buy some of their professional services too (that is how it used to be). If that is stil the case it is good and bad. The bad is the extra money. The good is working with guys that have done hundreds of migrations and have seen a lot of issues etc
Thanks
Mke
One thing about Quest is if you buy their tool I think you have to buy some of their professional services too (that is how it used to be). If that is stil the case it is good and bad. The bad is the extra money. The good is working with guys that have done hundreds of migrations and have seen a lot of issues etc
Thanks
Mke
ASKER
Thanks guys..
So regarding the SID history - will it basically give the account the same SID in the new forest as it had in the old?
I've also heard there is the possibility to re-ACL - does anyone have any details regarding this? I guess if we can't keep the SID history (since ADMT is not available in 2008 R2), re-ACL'ing is the other solution we have?
So regarding the SID history - will it basically give the account the same SID in the new forest as it had in the old?
I've also heard there is the possibility to re-ACL - does anyone have any details regarding this? I guess if we can't keep the SID history (since ADMT is not available in 2008 R2), re-ACL'ing is the other solution we have?
The account will have a new SID but also have the SIDHistory on the new account.
You would generally migrate with SIDHistory, then reacl, then cleanup SIDHistory. Good diagram overview here (high level)
http://www.sivarajan.com/admt.html
...so yes to access resources in the source forest/domain you have two choices
1. SIDHistory
2. re-ACL'ing
Thanks
Mike
You would generally migrate with SIDHistory, then reacl, then cleanup SIDHistory. Good diagram overview here (high level)
http://www.sivarajan.com/admt.html
...so yes to access resources in the source forest/domain you have two choices
1. SIDHistory
2. re-ACL'ing
Thanks
Mike
ASKER
Thanks Mike.
So basically, am I right in thinking that Re-ACL changes that ACL's on the resources in the original forest so that they can be used by the new SID's of the accounts in the new forest?
So basically, am I right in thinking that Re-ACL changes that ACL's on the resources in the original forest so that they can be used by the new SID's of the accounts in the new forest?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes the re-acl will acl the files and folders on the source file server (for example). Also remember in the end to goal is also to migrate the file servers etc and eventually decommission the old domains (I've seen that take years)
Thanks
Mike
Thanks
Mike
ASKER
Thanks Mike - but do you know the re-acl'ign actually works?
I mean if I had a fileshare that allows access to 100 users accounts that reside in Forest1, how does the re-acl work so that the new SID's of these accounts have access once the accounts are moved to the Forest2?
I mean if I had a fileshare that allows access to 100 users accounts that reside in Forest1, how does the re-acl work so that the new SID's of these accounts have access once the accounts are moved to the Forest2?
Check the ADMT guide, the parts about translating security (re-acl'ing)
http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
The section titled
Migrating Accounts Without Using SID History
is a good one because in some environments you can't turn off sid filtering.
Thanks
Mike
http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
The section titled
Migrating Accounts Without Using SID History
is a good one because in some environments you can't turn off sid filtering.
Thanks
Mike
ASKER
Thanks..
Regarding the AD account move - how can this actually be accomplished between two forests? On a smaller scale, is it something as easy as 'move' AD account via ADUC providing the trusts are in place? Or does something like ADMT (which doesn't work 2008 R2) have to be used?
Secondly, let's say Domain1\User1 in Forest1 is moved to Forest2 so that it is Domain11\User1. Would it still have the same SID and be able to access resources in Forest1 (again, providing the trusts were in place) that it had access to before?