• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1178
  • Last Modified:

Migrating Profiles and Domain services from old to new AD environment

I have to come up with a document of how we are going to cut across our profiles and services from our existing domain to a new domain I will build up in the next month

We have a site that is on 10.101.10.0/16 network. The sites is Sydney. The current domain is domain1.com (for example). I will build a new domain2.com on the same site and will need to begin the process of migrating people from the current domain to the new, with their profiles.

Now we have a fileserver on the current domain that will also have to be cut across, not sure in what order and how to go about this and whether it all needs to be done over a weekend or it can be done slowly.

The way I see it.

1. Build new domain and configure within site services.
2. Build new exchange.
3. Create the users.
4. Take computers off current domain and join new domain.
5. Use USMT 4.0 tools to migrate profiles across.
6. What do I do with the file server? Do I also just take off domain and join new domain? What will that do to the permissions of the shares? Do I do this prior to moving the profiles across or at the same time?
7. Connect users to new exchange server.

Is there anything else I am missing?
0
Network_Padawan
Asked:
Network_Padawan
  • 9
  • 8
1 Solution
 
Sikhumbuzo NtsadaCommented:
If the structure on the file server is controlled entirely by the current domain, when you finish migrating it to the new one, there should not be issues after you join the file server to your new domain.

Bare in mind that the active directory must be imported from your old domain for this to work, if no then the plan won't work.

0
 
Network_PadawanAuthor Commented:
Sorry I don't understand, how do I import the old AD into the new one? Why would I want to do this?
0
 
5g6tdcv4Commented:
I know the question is being closed, but you need to look at the ADMT
http://www.microsoft.com/downloads/en/details.aspx?familyid=6f86937b-533a-466d-a8e8-aff85ad3d212&displaylang=en
I did this exact project last year , and here are my thoughts

1. Build new domain and configure within site services.
2. Build new exchange.

....set up a cross domain trust
.....use ADMT to copy the users accounts and priveldges ...this affects your question at number 6
.....do a move-mailbox to the new domain (which acttually does not move the mailbox)
4. Take computers off current domain and join new domain.
5. Use USMT 4.0 tools to migrate profiles across..........or just copy the data from c:\users\%username% go c:\users\%username%.newdomain
6. What do I do with the file server? Do I also just take off domain and join new domain? What will that do to the permissions of the shares? Do I do this prior to moving the profiles across or at the same time? If you use the ADMT tool it will copy the file permissions from domain A to domain B. And if you have the trust set up correctly users in domain a can connect to the file server even after it has been moved to domain B
7. Connect users to new exchange server. .............if autodiscover is configured correctly the client will automatically connect to the exchange server
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
Network_PadawanAuthor Commented:
Please leave open for now, want to respond to 5g6tdcv4
0
 
Network_PadawanAuthor Commented:
Thanks 5g6tdcv4,

Can I get clarification on some of your points....

3. In ADMT, is it possible to rename the account as it migrates it across to the new AD? Eg, dgarcia is now daniel.garcia? This is part of the requirements. I know this can't be done via the GUI but can it be done via command line?

5. Can we use Windows Easy Transfer?

6. So I use ADMT and USMT first to move or copy AD accounts across. The joining of the PCs to the new domain will create the computer objects in AD. Then dis-join file server from old domain, join new domain as member server, and people will be able to authenticate via the newly migrated AD user accounts and profile. Is that it? What about SID history, do I need to preserve them...if so, how?

Thanks!
0
 
Network_PadawanAuthor Commented:
Also, do I need to use USMT 4 or will ADMT 3.2 do the profile cutover aswell?
0
 
5g6tdcv4Commented:
3. Yes you can rename if using an include file that lists your objects that are being migrated
5. No, Stick with USMT it is designed for this type of migration, it moves applications settings among other things that WET does not. WET is designed for  end-user migrations and does not have the functionality of USMT.
6. Using admt will also move the computer objects as well.
Notes for number 6:
Once you complete the migration of user accounts and SId's you should be able to bring a test user online in the new environment and test.
..........this is the most important thing Bring a user across in a specific user group...then test access permissions....mail flow......dns....everything
then bring another user across and the test again.
and repeat. For every group that you have in your domain
If you have to, create fake users in specific groups and move them and verify that they can access resources in both domains.
Depending upon your environment SID history can be used to allow or deny access to domain resources. ADMT gives you the option to migrate SID history.
Quote:Is that it?
No that is the overview of it. Do you want to migrate passwords? Are group policys in target domain the same as source? When will you cut mail flow over to destination domain, and how will you do it? .. the questions / problems go on and on , but whatever you do TEST TEST TEST prior to making the jump to the new domain
0
 
5g6tdcv4Commented:
USMT for the profile move. If you have 30 users do it by hand. If you have 1000 you need to script it with USMT. but I can not say definitely as I have not used ADMT 3.2
0
 
Network_PadawanAuthor Commented:
When you say "(which acttually does not move the mailbox)"...what do you mean? I thought part of the exchange migration is moving (or can you choose to copy instead?) mailboxes across to the a new exchange on a seperate forest?
0
 
5g6tdcv4Commented:
This is the powershell command that moves/copies the mailboxes across
$SourceCredential = Get-Credential  
$TargetCredential = Get-Credential
$UsersCSV = Import-CSV -path "manage.csv"
foreach ($Line in $UsersCSV) {move-mailbox -targetdatabase "mail\first storage group\mailbox database" -identity $Line.Username -globalcatalog dc2.newdomain.com -RetryInterval 00:00:10 -sourceforestglobalcatalog sms-dc2n.olddomain.com -sourceforestcredential $sourcecredential -confirm:$false  -targetforestcredential $targetcredential}

This only copys the mailboxes it does not actually move them. The mailbox is "moved" when the user logs in to the new domain and starts accessing the mailbox
0
 
Network_PadawanAuthor Commented:
Thanks 5g6tdcv4,

I created a VM environment and I got the users, groups and profiles all migrated with just ADMT 3.2. Worked Flawlessly. I did the following:

1. Migrate Security Accounts
2. Migrate Groups
3. Migrate Users
4. Migrate Computers -  When Migrating computers - Local groups give target domain rights in the computer objects - User profiles Only
5. Migrate Computers - choose all the rest of the options
6. Users could now logon to new domain with their PC's and new credentials
7. Changed filserver to new domain and users could access with their permissions.

So thanks this all works. The only issue left is exchange, where in this process do I do the migration...and also, can I not just right-click the mailbox and choose "Copy". Since there is a two way trust between both forests, shouldnt it be simple to see and just copy?
0
 
5g6tdcv4Commented:
Which version of exchange?
0
 
Network_PadawanAuthor Commented:
2007 standard to 2010 enterprise
0
 
5g6tdcv4Commented:
Your version of exchange 2007 has to be SP2 or greater.
Is it?
0
 
Network_PadawanAuthor Commented:
I get the following information from powershell


[PS] C:\Users\Administrator.NEPEANGROUP\Desktop>Get-ExchangeServer | fl name,edition,admindisplayversion


Name                : NGEXCH01
Edition             : Standard
AdminDisplayVersion : Version 8.1 (Build 240.6)

I guess this means we have SP1?
0
 
5g6tdcv4Commented:
Yep
0
 
Network_PadawanAuthor Commented:
Thanks appreciated. Tested and it works. Will do an exchange migration test and see how it works.
0
 
5g6tdcv4Commented:
Thanks for the points.
If you are making a document to do the domain migration, I would like to see it.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now