Service account Migration from Source domain to Target Domain

Hi! Please help me on this.

Enclosed attachment is the forest topology of my company. We are now trying to migrate "service account" from the source domain to target domain.

AD infrastructure Design
Our company is a food product manufacturing company and have offices across globe. Each domain has 10000 user objects and 500 servers

I'm now stuck with how to plan this activity and what are the points of concern during migration of service accounts.
1) Where do I install ADMT tool; On source DC or Target DC.
2) Using service account migration wizard will it keep the same GUID / SID or will it change.
3) If GUID/SID changes will the account permission and group membership remain intact after migration? Any changes to be done before migration/after migration?Any task to be carried out after migration? Kindly suggest.
4) After moving the service accounts will the it's password expires?
5) After moving the computer object do I have to restart all the server/computer? and can login happen in the target domain?
6) Any DNS planning / preparation is required? Before/After Migration.
7) What test need to be carried out to check whether migration is successful?
8) Lastly, planning source domain demise.

Thanks a lot!
Narsiman.
narsimanshivaiyerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ashutoshsapreCommented:
1).I'll suggest you install it on the DC of target domain. The account using which you run the ADMT should have FULL rights on both the domains, this is important for successful migration.
2).After migration accounts are assigned new SID, and old SID is added to attribute SIDhistory so the account still has access on whatever object it had rights on while in old domain.
3).Account permissions and group membership (if groups are also migrated) remain same. If the groups are not migrated the account looses membership after the migration is complete and trust between domain is broken.
4).You can migrate the password, but due to security reasons the option "User is required to change password at next logon" gets checked and thus when user logs in to the new domain with their old password they get the prompt to change the password. Incase of service accounts you can just uncheck the option.
5).After computer account migration the computer is restarted automatically as it's domain changes. User can login to the old  or new doamin till the trust between the source and target domain exist.
6).Before migration, even before you create trust you have to create secondary zones of the other domain and allow zone transfer in DNS, this is to make sure that the name resolution works throughout on both source and target domain.
7).The ADMT tool generates logs and also displays the status of migration, so incase any failure occurs you will see it on the screen.
8).Make sure you have migrated every object you require. I'll suggest to keep the source domain for a few weeks, you can break the trust in the mean time. So, incase if you find that you have missed migrating some objects you can do it later by floowing the steps of ADMT.

You can also refer to the ADMT documentation:
Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ashutoshsapreCommented:
Also while migration the computer accounts make sure the account that you run ADMT with, is added to the local administrators group of all computers on the source domain.
0
narsimanshivaiyerAuthor Commented:
HI! Ashutoshsapre,

The child domain belongs to same tree, so by default the trust relationship would be there.. Right? Then why are we concerned about trust here? Please give me a better understanding.

Thanks,
Shiva Iyer
0
ashutoshsapreCommented:
That is just to generalize so in case of inter-forest migration the step to make sure the DNS work is crucial in case of inter forest migration the trust and DNS configuration already exists... So, you can skip that step. :)
0
narsimanshivaiyerAuthor Commented:
Was very informative.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.