Solved

AD Cross Forest migration

Posted on 2011-09-02
14
890 Views
Last Modified: 2012-05-12
Team,

I need to split up two companies with two different dns (public) domains on one network at the head office.  There are several remote users but I plan to use Outlook anywhere for them.
Original AD domain is all 2003 server and single Exchange 2003 server handling everything.
New forest and domain (all 2008 server and Exchange 2010 sp1) for departing company is already built - I'm looking at migration tools and my head is ready to explode.

I have to wonder, for forty users in-house (approx. 75 email users total, might it be just as fast to just create new users on the new domain, flip the PCs over by copying profiles to a temp local profile, then into the new domain after joining new domain and then just import mailboxes that I've exported from the old Exchange server?

What would be the down side to this approach?

Thanks for your time!
0
Comment
Question by:jag-pens
14 Comments
 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
What OS(s) are you working with?
0
 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
If you are using XP use this utility:  Moveuser.exe (located in the Resource Tool Kit)

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=9110

2003 Resource Tool Kit (if you don't have it)

http://www.microsoft.com/download/en/details.aspx?id=17657

If you have Vista SP1 or higher use this:

http://tacklebox.cns.ohiou.edu/Moveuser/

Use the ADMT to Migrate Users, if you want to instead of creating all new users/groups/OUs/etc...

http://www.microsoft.com/download/en/details.aspx?id=8377
0
 
LVL 1

Expert Comment

by:Damag3d
Comment Utility
Hi,

The main issue with creating the new accounts is that you will be creating new SIDs for all your users. In doing so you will break things like file permissions on file servers etc etc.

What I suggest doing is use the ADMT (Active Directory Migrration tool) Its a really simply utility and ports accross your SID history for all of you user accounts. That covers the AD part, for the exchange part you will need to make sure that your 2003 servers are at sp2, then install your new 2010 server in the same orginisation and use the move mail box wizard. Have a quick read through this blog http://www.networkworld.com/community/node/47632

Good Luck :)
0
 

Author Comment

by:jag-pens
Comment Utility
Damag3d,

Yes, I have spent a lot of time looking at the ADMT 3.2 guide but it seems fairly complicated to me.  They also talk about syncing during migration which apparently requires licensed MMS software to accomplish.  Since there is only 1 Exchange server and 1 public ip at the moment all the Outlook Anywhere users have to be moved to a new public ip anyway.  Also, there must be a new BES server.  Just seems to me that the simplest solution (with complete fall back in that the source servers don't need to be touched (except maybe BES)) is to create everything new on new domain, flip user profiles to local on each computer, then join new domain and flip profiles again from local to new domain.  I have unfortuantely used global groups to protect file system resources on the source domains so that will work against me I believe in and ADMT migration?  - more fuel for brute force migration?

FeebleMinder:
There are XP SP3 32 bit, Vista Business 32 bit, and Windows 7 32/64 PCs to migrate
0
 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
Simply creating new users/groups/OUs I think would be the simplest. Doing the export import like you said. And use the Moveuser tools mentioned above. (This tool seems to be the quick key to remapping profiles to new domain\username. Follow the simple few steps and wahlaa!)
0
 

Author Comment

by:jag-pens
Comment Utility
Feebleminder,
These profile move tools that you mention, do they generically name the profile similar to the way the SBS profile tools work?  IE user Joe Shmoe with userid jshmoe in (XP/V1 profile) c:\documents and settings\jshmoe or in C:\Documents and Settings\MovedUser ?
0
 

Author Comment

by:jag-pens
Comment Utility
Feebleminder,

Another question comes to mind - something I have not yet done thus the question.
With a Vista/Windows 7 (V2) profile (and I'm asking about local, not roaming profiles so perhaps the V2 is irrelevant), will I run into profile copy issues similar to what XP SP3 introduced where I need to take ownership of the profile to get a clean profile copy or do the tools you mention take care of all this?  Cheers
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
All this needs to be done with a Local Admin Acct!

The move tool is controlled by you. You will type in the OldDomain\UserName and the NewDomain\UserName. No Generic. It will Pull down the new users SID from the NewDomain AD. Just follow the simple few Steps for each.

As far as Local Profile, it works exactly the same as domain to domain.
0
 

Author Comment

by:jag-pens
Comment Utility
Feebleminder,

Have you used this?  What about little gotchas like Blackberry Desktop backup files that have warped permissions - usually stopping a copy in it's tracks (.ipd file)?
0
 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
Yes I have used this on my last server upgrade from SBS 2003 to SBS 2008 and it has worked without a glitch.

Question I should have asked; Are you moving these profiles to another computer or are they staying on the same computers? Not that there is a whole lot of difference for the profile, only referring the the Blackberry file in question.
0
 
LVL 5

Expert Comment

by:Feebleminder
Comment Utility
If that is the  only  issue you are looking at is the .ipd file for blackberry, just have the users change the save location file to a share or C:\ and perform a backup before migrating users/computers.
0
 
LVL 5

Accepted Solution

by:
Feebleminder earned 500 total points
Comment Utility
These two moveuser tools mainly change the NTUSER.DAT file to the newdomain
0
 

Author Comment

by:jag-pens
Comment Utility
Feebleminder,

Re: 36478525 - no profiles will be flipped on the same PCs, then into the new domain.
Upon further reflection, I think it best from the perspective of minimizing user disruption, to just move data to the new domain this weekend, I need to have a static public ip in place and I can't get there until Wednesday (I was planning on moving to a hosted anti-spam service to move the mail flow both inbound and outbound to work around that but I have around 20 Outlook Anywhere target users and I would have to use a dynamic dns pointer in place that I would not want as a permanent solution, thus necessitating two changes instead of one).

Still, I think this route that we've outlined today for 40 users on the ground locally, makes the most sense rather than spending a whole lot of time developing a migration plan, testing it for each o/s and likely running into glitches anyway.

Thanks for your time!  I'm going to award the solution to Feebleminder - that may seem unfair to Damag3d since I'm leaning towards a 'KISS' solution but Feebleminder has spent more time and has been more involved. - Thaks again for everybody's input!
0
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
Check Exchange live export/import tool from this site. The same tool you can use for cross forest migration
http://www.clickzones.net/
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now