AD Restructuration

Hey jskfan :)

I've done one or two of those: )

First, collapsing child domains into the forest root. There are two tools which can help here.

MoveTree:

Download:

http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&displaylang=en

Usage:

http://support.microsoft.com/kb/238394

 - This can be used to move Users and Groups into the Forest Root
 - The sidHistory will be populated with the SID from the original domain
 - Any links to Exchange Mailboxes are maintained with this move (no action required)
 - It works perfectly for 2003 even if it doesn't state that in the KB article

The catch is that group membership will have to be checked / rewritten after the move has completed. However, it's much less effort that the next tool for moves within a forest.

Active Directory Migration Tool (ADMT):

Download:

http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en

 - Can be used to move the computers over
 - It will re-write the security on the computer so the user profile works "as is"

Okay, so that's the easy bit. Your cross-forest move is much much harder because of "named the same". Is that really a requirement? That excludes the use of the tools above, meaning you have to do everything they did for you manually. Security is the biggest catch there because you will not be able to populate sIDHistory without a Trust and the tools mentioned above (and one other that also requires a trust).

> I was wondering if I drop a new DC in the existing Domain, just to have objects replicated to it,
> then take offline and do the migration and restructuratuin of AD for the new domain.

I'm not certain how this would help. There's no requirement to delete objects in the source domain with a migration (you can, but you don't have to). But you would still have to deal with re-joining computers to this domain if you were to go back.

Chris

in our environment we need only computer objects to be migrated to the new domain.
User objects , we can create them manually since we don't have many.
Regarding the migration, when you migate an object does it stay in the original place too, just like copying it or it gets deleted from the original place (for instnace from an OU)?
Because I thought I could take a DC from the current domain offline, and do the migration of child domains to parent domain then get rid of child domains and restructure my AD  then put it in the new domain.

Computers are about the most complex, although that depends how much you care about your users :) If you don't have to maintain user profiles then all you have to do is join it to the new domain.

> Regarding the migration, when you migate an object does it stay in the original place too,
> just like copying it or it gets deleted from the original place (for instnace from an OU)?

If you're using ADMT you can tell it to do either (it's a tick box if you use the GUI).

> then put it in the new domain.

Even if the domain is the same name it is not the same domain. It won't talk to the new domain controllers if that's what you're expecting?

Chris

<<Even if the domain is the same name it is not the same domain. It won't talk to the new domain controllers if that's what you're expecting?>>>
Even after I disconnect the old domain?

You mentionned user profiles, is there any way to back it up and restore it to the new domain.
For now users have just local profiles.

Chris,

is it possible to rename a domain. if so , I will rename the new domain different than the old domain.
I will create a trust, make migration of the objects from the old domain to the new domain without deleting them from the old domain, then disable the trust and go back to the new domain and rename it the way I want it.
would this work?