Re-install Active Directory (but keep the user list)?
Hello Experts!
My basic questions are as follows:
1. What is the best way to re-install Active Directory for my company?
2. Can I "export" the user list for "import" into the new Active Directory Schema?
3. What are the consequences of doing this?
In addition to that, I feel it best to provide background information...
1. The administrator that I replaced didn't do anything with Active Directory except the most basic (i.e. DNS & User List). So there are no Organizational Units; there are no weird permission issues.
2. The "first domain controller" is on Windows 2000, and there is an "additional domain controller" on Windows 2003 Enterprise Edition.
3. It appears that the previous admin installed Exchange 2003 Standard on the Windows 2003 machine, and then "re-installed" a completely new instance of Windows 2003 and Exchange 2003 on that same machine, without first removing it properly from Active Directory.
4. The Exchange Server is not in use. Yet. But I would like it to be.
5. I need to completely remove Active Directory, not just install over it.
5. If possible, I want to use ldifde.exe to export ONLY the users, so that after the 2000 machine is DEMOTED and all of AD is uninstalled -I can then import the user list back in and the whole thing will seem transparent to my users. (side question: what happens to passwords if this happens?)
Thank you in advance to whomever is willing and able to answer!
-neomage
My basic questions are as follows:
1. What is the best way to re-install Active Directory for my company?
2. Can I "export" the user list for "import" into the new Active Directory Schema?
3. What are the consequences of doing this?
In addition to that, I feel it best to provide background information...
1. The administrator that I replaced didn't do anything with Active Directory except the most basic (i.e. DNS & User List). So there are no Organizational Units; there are no weird permission issues.
2. The "first domain controller" is on Windows 2000, and there is an "additional domain controller" on Windows 2003 Enterprise Edition.
3. It appears that the previous admin installed Exchange 2003 Standard on the Windows 2003 machine, and then "re-installed" a completely new instance of Windows 2003 and Exchange 2003 on that same machine, without first removing it properly from Active Directory.
4. The Exchange Server is not in use. Yet. But I would like it to be.
5. I need to completely remove Active Directory, not just install over it.
5. If possible, I want to use ldifde.exe to export ONLY the users, so that after the 2000 machine is DEMOTED and all of AD is uninstalled -I can then import the user list back in and the whole thing will seem transparent to my users. (side question: what happens to passwords if this happens?)
Thank you in advance to whomever is willing and able to answer!
-neomage
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
when you export users, you won't be exporting two important things:
- Passwords
- SIDS
There's a tool called "active directory migration tool" admt.exe
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
That tool can keep the old SID for user and group accounts. That way, the old security applied to resources can still be used.
The common problem when migrating accounts is that you have to redefine permissions for all files (users' home directories, profiles, etc)
To use this tool, both domains will need to have different names.
If you have a relatively large number of users (say above 50), it can be a pain in the back going for a migration. Therefore I'd try to delete all traces of the exchange server in AD.
(see: http://www.brienposey.com/kb/removing_exchange_2000_from_ad.asp)
If you have less... I'd wipe the machines clean (not only AD) and reinstall from scratch. If you just uninstall AD, a lot of things will remain there (dns files for the zones, etc.). Deleting all those files and troubleshooting things that don't work 100% (group policies not replicating, ...) will take you much longer.
cheers
ruben
- Passwords
- SIDS
There's a tool called "active directory migration tool" admt.exe
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
That tool can keep the old SID for user and group accounts. That way, the old security applied to resources can still be used.
The common problem when migrating accounts is that you have to redefine permissions for all files (users' home directories, profiles, etc)
To use this tool, both domains will need to have different names.
If you have a relatively large number of users (say above 50), it can be a pain in the back going for a migration. Therefore I'd try to delete all traces of the exchange server in AD.
(see: http://www.brienposey.com/kb/removing_exchange_2000_from_ad.asp)
If you have less... I'd wipe the machines clean (not only AD) and reinstall from scratch. If you just uninstall AD, a lot of things will remain there (dns files for the zones, etc.). Deleting all those files and troubleshooting things that don't work 100% (group policies not replicating, ...) will take you much longer.
cheers
ruben
ASKER
Hey everyone! Thanks to all of you for responding and posting answers.
I ended up talking about this with someone from Microsoft and he suggested I try to de-evolve the network back to just the single GC by demoting the 2003 DC (using DCPROMO /FORCEREMOVAL) if necessary.
Then he reffered me to: http://support.microsoft.com/?id=216498 to remove stubborn AD Objects.
Between that and the Exchange removal article mentioned by "ruben" - I think that I'll just try to wipe exchange and the 2003 DC from AD and start fresh with a fresh new installation of the 2003 DC w/ Exchange 2003.
Thanks again!
I ended up talking about this with someone from Microsoft and he suggested I try to de-evolve the network back to just the single GC by demoting the 2003 DC (using DCPROMO /FORCEREMOVAL) if necessary.
Then he reffered me to: http://support.microsoft.com/?id=216498 to remove stubborn AD Objects.
Between that and the Exchange removal article mentioned by "ruben" - I think that I'll just try to wipe exchange and the 2003 DC from AD and start fresh with a fresh new installation of the 2003 DC w/ Exchange 2003.
Thanks again!
Read this and see if it helps...
http://support.microsoft.com/default.aspx?scid=kb;en-us;327620