Moving to a new domain

I rather messed up my production AD server, however managed to get it operational for all intents and purposes.  However there are still some errors which seem to indicate that replication with another AD server will not take place (the next step was to implement another AD server, but thats taking the back seat).  So now, I have built a new Windows 2003 AD server.  I would like to move all the Kerberos Principles, and AD Computer objects to a new domain, WITH THE SAME NAME.  Basically I do not want to rebind hundreds of lab machines to a new domain (I know a script may be written, I would just prefer to not do it that way).  I know I can use ldifde to extract all the LDAP ifnormation, however how I get the kerberos principles out and into the new AD server I dont know.  Any suggestions?
LVL 3
Flash828Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WeHeCommented:
I would not do this and i never heard this was done.
You should rename the old domain and migrate the users and computer with AD Migration Tool to the new (oldnamed) domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Flash828Author Commented:
Well will this also add in the garbage thats causing replication to fail?  As in will this JUST copy the computer and user accounts (which is what I want)?  If so that is most definitely the solution I am seeking.
0
Flash828Author Commented:
And will this require me to rebind all my current machines?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Flash828Author Commented:
haha.. sorry... one more thing, where do I find this tool?
0
flyguybobCommented:
Regarding the tools that WeHe recomended....
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

Note:  If you only have a single DC in your environment you will want to check AD Sites&Services to see if there is an orphaned DC.  If you remove that orphaned DC then the replication errors should go away.

These two links should help you with removing the DC.
http://www.winnetmag.com/Article/ArticleID/13414/13414.html
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q216498&

You are going to have to figure out what to do with your DNS infrastructure as well, as clients will no longer talk to the old DC for DNS, but to the new DC.  I assume that your DCs are also providing DNS services.

Bob
0
Flash828Author Commented:
Actually I do have an orphaned DC... thats how this all came about, I just kinda of re-installed Server 2003 on a member AD server, without first demoting it... which caused a whole host of problems... Ill look into the above links when I get in to work tomorrow
0
Flash828Author Commented:
actually on first glance on your first link regarding the removal of the DC, thats exactly my problem, didn't ron dcpromo to demote....
0
flyguybobCommented:
Be very careful when you go to remove it.  You will likely see one DC with NAME and another DC with NAME:CNF-32 charachter GUID.  If you are not careful you may end up whacking your only DC...and that would be bad.

It used to be that Quest offered the FastLane migrator tools for free.  You may want to see if they are still doing that.  It may allow you to move from domain to domain relatively painlessly.  Obviously there is a learning curve there.

Bob
0
Flash828Author Commented:
Just a heads up that I have not yet managed to test the excellent suggestions above, but I have not forgotten, and do appreciate everyones help so far.
0
Flash828Author Commented:
Okay guys, Im getting hung up on another problem here (and the way it looks right now Im going to post a new question anyways so that you both can get points... as soon as I test this stuff out).  But since you guys are awesome, I need some more help (and if you answer I promise Ill post another 500 pointer and only accept your answers).  We have 10 Windows XP SP2 Machine in "testing" right now.  However they aren't applying group policies, but instead they are complaining about "user from different forest logged onto this machine.  Cross Forest group policy proccessing........" with even ID 1109 in the event log.  It appears the solution to this is to enable Cross Forest group policy proccessing.  However microsofts suggestion is to enable it in group policy.........  But group policy aint working.  Chicken and egg here.  Whats to do?  (I promise 500 points seperately to anyone who can answer this for me... Im probably going to post it anyway shortly, but you guys really seem like you know your stuff).  A little more about my environment:

Windows 2003 Server w/ AD
Trusts MIT 5 Kerberos realm (account store, the users that fail GP's and profiles are these guys).
10 Test Clients with Windows XP SP2, Latest patch stepping

Any more info, let me know.
0
WeHeCommented:
To solve this for your domain, put it in the domain policy of the computer domain, not into the users domain.

To resolve this issue on a single client do this:
Log on to the computer as a user with administrator rights.
Click Start, click Run, type gpedit.msc, and then click OK.
Double-click Computer Configuration, double-click Administrative Templates, double-click System, and then click Group Policy.
In the right pane, double-click Allow Cross-Forest User Policy and Roaming User Profiles.
Click Enabled, click Apply, and then click OK.
Quit the Group Policy tool.
Allow sufficient time for the computer policy to be automatically updated, or update it yourself. To update the computer policy yourself, follow these steps:
Click Start, click Run, type cmd, and then click OK.
Type the following command, and then press ENTER:
secedit /refreshpolicy machine_policy
Log off from the computer.
0
Flash828Author Commented:
WeHe: Yeah I was aware of these steps, however the point is that if this ever happens, when there are closer to 100+ machines, whats the solution?  Surely it can't be go to every machine.  Also if this setting is enabled in the future, how are new installations deployed with something like RIS?
0
WeHeCommented:
Flash828: Did you read my first line?
To solve this for your domain, put it in the domain policy of the computer domain, not into the users domain.
0
Flash828Author Commented:
Oh sorry.  The directions you wrote said to run gpedit, which I thought was local policy.  At any rate, yeah this actualyl did resolve by following microsoft's directions, but since I promised 500 points, Ill give em to you anyways.  Ima work out the whole new domain thing out real soon (its a production server which is technically "working" fine from users perspectives, and there are a bunch of other stuff to do, so sorry for holding everyone up).
0
Flash828Author Commented:
I still owe WeHee another 500 points.  So WeHee, how would you like to do this?
0
Flash828Author Commented:
P.S. - You guys are awesome
0
WeHeCommented:
> still owe WeHee another 500 points.  So WeHee, how would you like to do this?
If you really want this (and i understand you the right way), open a new question, post a link to it here and accept my answer :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.