Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD Cross Forest migration

Posted on 2011-09-02
14
Medium Priority
?
897 Views
Last Modified: 2012-05-12
Team,

I need to split up two companies with two different dns (public) domains on one network at the head office.  There are several remote users but I plan to use Outlook anywhere for them.
Original AD domain is all 2003 server and single Exchange 2003 server handling everything.
New forest and domain (all 2008 server and Exchange 2010 sp1) for departing company is already built - I'm looking at migration tools and my head is ready to explode.

I have to wonder, for forty users in-house (approx. 75 email users total, might it be just as fast to just create new users on the new domain, flip the PCs over by copying profiles to a temp local profile, then into the new domain after joining new domain and then just import mailboxes that I've exported from the old Exchange server?

What would be the down side to this approach?

Thanks for your time!
0
Comment
Question by:jag-pens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36477038
What OS(s) are you working with?
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36477087
If you are using XP use this utility:  Moveuser.exe (located in the Resource Tool Kit)

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=9110

2003 Resource Tool Kit (if you don't have it)

http://www.microsoft.com/download/en/details.aspx?id=17657

If you have Vista SP1 or higher use this:

http://tacklebox.cns.ohiou.edu/Moveuser/

Use the ADMT to Migrate Users, if you want to instead of creating all new users/groups/OUs/etc...

http://www.microsoft.com/download/en/details.aspx?id=8377
0
 
LVL 1

Expert Comment

by:Damag3d
ID: 36477596
Hi,

The main issue with creating the new accounts is that you will be creating new SIDs for all your users. In doing so you will break things like file permissions on file servers etc etc.

What I suggest doing is use the ADMT (Active Directory Migrration tool) Its a really simply utility and ports accross your SID history for all of you user accounts. That covers the AD part, for the exchange part you will need to make sure that your 2003 servers are at sp2, then install your new 2010 server in the same orginisation and use the move mail box wizard. Have a quick read through this blog http://www.networkworld.com/community/node/47632

Good Luck :)
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:jag-pens
ID: 36478322
Damag3d,

Yes, I have spent a lot of time looking at the ADMT 3.2 guide but it seems fairly complicated to me.  They also talk about syncing during migration which apparently requires licensed MMS software to accomplish.  Since there is only 1 Exchange server and 1 public ip at the moment all the Outlook Anywhere users have to be moved to a new public ip anyway.  Also, there must be a new BES server.  Just seems to me that the simplest solution (with complete fall back in that the source servers don't need to be touched (except maybe BES)) is to create everything new on new domain, flip user profiles to local on each computer, then join new domain and flip profiles again from local to new domain.  I have unfortuantely used global groups to protect file system resources on the source domains so that will work against me I believe in and ADMT migration?  - more fuel for brute force migration?

FeebleMinder:
There are XP SP3 32 bit, Vista Business 32 bit, and Windows 7 32/64 PCs to migrate
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478363
Simply creating new users/groups/OUs I think would be the simplest. Doing the export import like you said. And use the Moveuser tools mentioned above. (This tool seems to be the quick key to remapping profiles to new domain\username. Follow the simple few steps and wahlaa!)
0
 

Author Comment

by:jag-pens
ID: 36478382
Feebleminder,
These profile move tools that you mention, do they generically name the profile similar to the way the SBS profile tools work?  IE user Joe Shmoe with userid jshmoe in (XP/V1 profile) c:\documents and settings\jshmoe or in C:\Documents and Settings\MovedUser ?
0
 

Author Comment

by:jag-pens
ID: 36478395
Feebleminder,

Another question comes to mind - something I have not yet done thus the question.
With a Vista/Windows 7 (V2) profile (and I'm asking about local, not roaming profiles so perhaps the V2 is irrelevant), will I run into profile copy issues similar to what XP SP3 introduced where I need to take ownership of the profile to get a clean profile copy or do the tools you mention take care of all this?  Cheers
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478484
All this needs to be done with a Local Admin Acct!

The move tool is controlled by you. You will type in the OldDomain\UserName and the NewDomain\UserName. No Generic. It will Pull down the new users SID from the NewDomain AD. Just follow the simple few Steps for each.

As far as Local Profile, it works exactly the same as domain to domain.
0
 

Author Comment

by:jag-pens
ID: 36478492
Feebleminder,

Have you used this?  What about little gotchas like Blackberry Desktop backup files that have warped permissions - usually stopping a copy in it's tracks (.ipd file)?
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478525
Yes I have used this on my last server upgrade from SBS 2003 to SBS 2008 and it has worked without a glitch.

Question I should have asked; Are you moving these profiles to another computer or are they staying on the same computers? Not that there is a whole lot of difference for the profile, only referring the the Blackberry file in question.
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478531
If that is the  only  issue you are looking at is the .ipd file for blackberry, just have the users change the save location file to a share or C:\ and perform a backup before migrating users/computers.
0
 
LVL 5

Accepted Solution

by:
Feebleminder earned 2000 total points
ID: 36478536
These two moveuser tools mainly change the NTUSER.DAT file to the newdomain
0
 

Author Comment

by:jag-pens
ID: 36478577
Feebleminder,

Re: 36478525 - no profiles will be flipped on the same PCs, then into the new domain.
Upon further reflection, I think it best from the perspective of minimizing user disruption, to just move data to the new domain this weekend, I need to have a static public ip in place and I can't get there until Wednesday (I was planning on moving to a hosted anti-spam service to move the mail flow both inbound and outbound to work around that but I have around 20 Outlook Anywhere target users and I would have to use a dynamic dns pointer in place that I would not want as a permanent solution, thus necessitating two changes instead of one).

Still, I think this route that we've outlined today for 40 users on the ground locally, makes the most sense rather than spending a whole lot of time developing a migration plan, testing it for each o/s and likely running into glitches anyway.

Thanks for your time!  I'm going to award the solution to Feebleminder - that may seem unfair to Damag3d since I'm leaning towards a 'KISS' solution but Feebleminder has spent more time and has been more involved. - Thaks again for everybody's input!
0
 
LVL 27

Expert Comment

by:MAS
ID: 36478681
Check Exchange live export/import tool from this site. The same tool you can use for cross forest migration
http://www.clickzones.net/ 
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question