Migrating Shares to new domain

dannewton
dannewton used Ask the Experts™
on
We are planning to setup a new domain which we will move all our users to as well as most of our servers and PCs - decommisioning the old domain when everyuthng is done. What I need to find out is whether there is a way to create user logins for the new domain which correspond to users' old ones in terms of file share permissions and group membership for the old one.

Is this possible and what tools/procedures exist to help?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It is very important during migrations as such to maintain SID history for the AD objects. So you need a tool that will migrate objects+attributes+groups etc...

Yes it is possible of course, and the free Microsoft tool for it is ADMT. Active Directory Migration Tool is used to migrate users, groups, managed service accounts, and computers between Active Directory domains in different forests (interforest migration) or between Active Directory domains in the same forest (intraforest migration).

http://www.microsoft.com/download/en/details.aspx?id=17488
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

Documentation:
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

It also shows how to use ADMT to perform security translation between different Active Directory forests.

There are many 3rd party solutions as well that provide extras but need services as well but ADMT is efficient depending on your type of migration.

Please read the documentation thoroughly before you begin and make a plan to minimise user down time :)

Author

Commented:
Thanks Nippon. Will ADMT Handle a change in user name pattern whereby a user login changes from (for example)  joe.bloggs in the old domain to bloggs_j in the new one - retaining permissions/group memberships etc?
ADMT migrate the user. If you have already created new objects with new name policy then we are talking about user mapping and  I think you would need a third party tool for that. How many AD objects are we talking about ?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Dannewton, if this is critical migration and downtime is out of the question and you want to avoid causing serious problems you can go for the big names in AD migrations - i've used both and was very happy with both - Quest Sofwtare and NetIQ. By all means not trying to advertise here, just speaking from experience. Quest Software also provides consultants to help you along the way.

http://www.quest.com/migration-manager-for-active-directory/
http://www.netiq.com/products/dma/default.asp


@ Rybaa: Is that a good tool ? I have never heard of it

@ Rybaa: Does it tranfer SID History Or does it only keep the new SID of the object on the new domain, because that can cause problems.
kevinhsiehNetwork Engineer

Commented:
Why are you moving everything to a new domain and forest instead of just upgrading and cleaning up the existing domain? Since you plan on shutting down the old domain, there are very few cases that I can think of that this project that you are planning would even be necessary.

Author

Commented:
Kevin - it's part of a project whereby we are creating a unified domain for our company and our sister company. We currently have 2 seperate domains but are moving to a new, single one.
kevinhsiehNetwork Engineer

Commented:
Okay. Personally, I would consider just migrating 1 domain into the other so there is only 1 migration instead of two. Depends on the situation, I guess.
I do suggest you to use Ideal tools. It migrates everything!
Please Rybaa, when you say everything, can you be more specific ?  Does it do user mappping? Does it migrate SID history ? How does it handle conflicts?
Migration Features:

Migration from and to all types of Windows NT, 2000, and 2003 servers for organization units, computer accounts, user groups, users, group memberships, shared directories, and printers,

Management of the SIDHistory attribute for groups and user accounts on 2000 and 2003 servers in native mode,

Migration Assistant to automate the transfer of objects to one or more target servers,

Back-up and retrieval of Migration Projects (.IPJ files),

Command-line running of a migration project, thus enabling full automation of the migration process (IACL.exe),

Automatic creation of scheduled tasks for programmed running of Migration Projects,

Objects transfer by means of CSV files (text files that may be modified or created manually),

Customization of Active Directory variables to be exported or imported for objects in the organization unit, computer account, user group, and user categories,

Complex passwords management when migrating users.
Rybaa do you work for them ? lol   :)
dannewton just get a trial and see how these work out for you.  Just don't forget you have the free tool from microsoct  ADMT which is pretty good as well :)

Author

Commented:
Thanks for the tool suggestions from both of you. We'll look at what both have to offer and see what works going forward. I will close ths Question for now as the migration is a little way off for now.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial