Maintaining User accounts in a tree with no root

Posted on 2009-04-23
Last Modified: 2012-05-06
I have a new client which asked for help because their old IT guy wasn't supporting their needs.  The old company "AT" had two partners which decided to split.  Before the split AT had a tree ( which was the forest root.  After the split the IT guy (same for both companies) created "" as a child tree (of the forest root)  on the new server for the partner that eventually hired me.  The TT server is now a tree on it's own with absolutely no connection (physical, VPN, or otherwise) with AT.  The companies are totally split and the partners want nothing to do with each other.  The TT domain has users and computers as well as multiple shares, permissions, etc, the only thing missing is the forest root.

Since there's no forest root anymore, I can't authorize DHCP or extend the Schema both of which I need to do.  So the question is, how do I proceed?  I know that I'm going to have to blow out AD on the server, but how can I avoid loosing all the user accounts, permissions, computer accounts, local user profiles, etc.

I was thinking of using ADMT to migrate to a new domain (which is root) on a temporary server.  Then move the FSMO roles to the one server that they have and down the temporary server.  However,  I'm not sure I can create the necessary transitive trusts without the forest root being online.

Either way, I need to make sure that the local profiles on all the client computers are retained.  If I have to manually recreate the user accounts and rejoin all the computers, I can do that.  Permissions can be done manually too.

Any recommendations on where to start?  I'm reading the ADMT guide now.
Question by:121mhz
    LVL 59

    Accepted Solution

    You can just start from scratch then just move the profiles over by using the USTM tool which might be the easiest way to move. Without control over the root you are most likely going to have issues.
    LVL 1

    Author Comment

    USMT is my other option, but that would mean that I would have to blow out the user accounts which I'm trying to avoid, but quickly realizing might not be possible.
    LVL 59

    Expert Comment

    by:Darius Ghassem
    ADMT I thinks needs root settings unless you are moving child domains into a root domain.
    LVL 1

    Author Comment

    So there's no better solution then to start from scratch.  Does this sound right:

    1) Use USMT to save state on all machines,
    2) Remove all machines from the domain
    3) Blow Out AD on the server
    4) Reinstall AD on the server
    5) Recreate all user accounts and permissions
    6) Rejoin the domain on all computers
    7) Login as user
    8) Restore state using USMT

    Did I miss anything?
    LVL 59

    Expert Comment

    by:Darius Ghassem
    Nope everything seems in order. Now you can try ADMT but I'm almost 100% sure you are going to need the root domain.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now