• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 838
  • Last Modified:

cross-org migration trust with ADMT 3.1

We're about to begin the migration from a source forest domain to the target forest domain located in the same subnet.  I'm the administrator of both domains ( sourcedomain.com and targetdomain.com)

Groups and OU  WILL NOT be migrated.  For several reasons we've decided to create a new scheme; global groups,  local groups and so on in the target domain.   Of course we'll have to start over with the ACL, permissions, etc.  A lot of work.

The source domain will be useless after the migration.  All users, profiles,  computers, member servers,  and Exchange 2003 mailboxes (move-mailbox cmdlet) will be migrated on the new domain.  The Exchange 2007 are already running.  We are not going  to migrate the DC from the source domaine.  

QUESTION 1
A two-ways transitive trust has been enabled already.  But  it looks like different trusts must be established depending on the object to migrate as you can read from the  the ADMT 3.1 migration guide:

"To migrate users and global groups, you must establish a one-way trust between the source domain and the target domain, so that the source domain trusts the target domain.
To migrate resources or translate local profiles, you must do one of the following:
"      Create a one-way trust between the source domain and the target domain.
"      Create a two-way trust between source and target domains."

What's happen if I use a two-way trust for all objects ?

QUESTION 2
I have to create a user for delegation on each domain.  As I am administrator of all domains can I use instead the administrator account ?  

Thanks

0
quadrumane
Asked:
quadrumane
  • 6
  • 5
1 Solution
 
AkhaterCommented:
a two-way trust will work in all cases, the document is giving you the minimum required

0
 
quadrumaneAuthor Commented:
Thanks, do you know if I can use the administrator accounts instead of creating new accounts for ADMT ?
0
 
AkhaterCommented:
Honestly I cant' give you a 100% positive answer on this because I don't remember

I always create new account for ADMT but my best guest is that the administrato account should work
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
quadrumaneAuthor Commented:
When you create a new account, do you have to delegate it on all ressources one by one or you just make it domain and local admin on both domains and machines ?

Thanks again
0
 
AkhaterCommented:
ok i was looking back to my notes

I do make the users member of the domain admins of their respective domains (so administrtor user will work)

0
 
quadrumaneAuthor Commented:
Thanks out of topic, do you think SID history is needed considering that I'm not migrating any groups or permissions ?  I'm just trying to find out on what SID history could be useful in that kinf of migration.

0
 
AkhaterCommented:
you should not need sid history since you are not planning for permission migration.

I just urge you to do a test because I am not sure how computer profiles will respond to the migration of a user
0
 
quadrumaneAuthor Commented:
I have created users and profiles, 2 virtual PC, one physical server and one virtual server for testing purpose.  Do you think it might be a problem on the computer profile level if I'm not using SID history ?  All profiles are local, not roaming.   On the new target domain everything has been done already, including a new DFS.  All servers are Windows 2008 and Exchange 2007 SP1.

The main concern I have is about the DHCP.  We didn't have the time to program the core switch (stack Powerconnect 6224) so the DHCP broadcast will be sent to all available DHCP, including the one on the source domain.  But if I stop this one I have to make sure all computers are already powered on.  I want to keep PCs from getting their IP from the old DHCP.
0
 
AkhaterCommented:
I do have a question mark on the local profile if the user is migrated without SID history, only a test (or someone else who did it) will clear it out for me.

I didn't get the DHCP problem,
0
 
quadrumaneAuthor Commented:
Ok I'll let you know.  

As the DNS forwarders are set and both domains are running on the same subnet, when the trust has been established, for a reason or another some PCs have received their IP from the target domain.  So we just shut the DHCP down on the target domain until we begin the migration process.  

This is why I guess I think it might happen again but this time the PCs could get the IP from the source DHCP server if I don't shut it down.
0
 
AkhaterCommented:
oh noew I see

well it doesn't matter if you have a trust or not there is simply no way to tell a computer from what DHCP server to obtain IP, the process is completely random.

Any DHCP server can give IPs to any client.

well the solution for this is rather easy. keep one DCHP server up (let's say the old one) till you finish the whole migration then migrate you DHCP configuration from the old to the new one to avoid ip conflicts and turn off the old one

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now