Solved

AD Cross Forest migration

Posted on 2011-09-02
14
892 Views
Last Modified: 2012-05-12
Team,

I need to split up two companies with two different dns (public) domains on one network at the head office.  There are several remote users but I plan to use Outlook anywhere for them.
Original AD domain is all 2003 server and single Exchange 2003 server handling everything.
New forest and domain (all 2008 server and Exchange 2010 sp1) for departing company is already built - I'm looking at migration tools and my head is ready to explode.

I have to wonder, for forty users in-house (approx. 75 email users total, might it be just as fast to just create new users on the new domain, flip the PCs over by copying profiles to a temp local profile, then into the new domain after joining new domain and then just import mailboxes that I've exported from the old Exchange server?

What would be the down side to this approach?

Thanks for your time!
0
Comment
Question by:jag-pens
14 Comments
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36477038
What OS(s) are you working with?
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36477087
If you are using XP use this utility:  Moveuser.exe (located in the Resource Tool Kit)

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=9110

2003 Resource Tool Kit (if you don't have it)

http://www.microsoft.com/download/en/details.aspx?id=17657

If you have Vista SP1 or higher use this:

http://tacklebox.cns.ohiou.edu/Moveuser/

Use the ADMT to Migrate Users, if you want to instead of creating all new users/groups/OUs/etc...

http://www.microsoft.com/download/en/details.aspx?id=8377
0
 
LVL 1

Expert Comment

by:Damag3d
ID: 36477596
Hi,

The main issue with creating the new accounts is that you will be creating new SIDs for all your users. In doing so you will break things like file permissions on file servers etc etc.

What I suggest doing is use the ADMT (Active Directory Migrration tool) Its a really simply utility and ports accross your SID history for all of you user accounts. That covers the AD part, for the exchange part you will need to make sure that your 2003 servers are at sp2, then install your new 2010 server in the same orginisation and use the move mail box wizard. Have a quick read through this blog http://www.networkworld.com/community/node/47632

Good Luck :)
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:jag-pens
ID: 36478322
Damag3d,

Yes, I have spent a lot of time looking at the ADMT 3.2 guide but it seems fairly complicated to me.  They also talk about syncing during migration which apparently requires licensed MMS software to accomplish.  Since there is only 1 Exchange server and 1 public ip at the moment all the Outlook Anywhere users have to be moved to a new public ip anyway.  Also, there must be a new BES server.  Just seems to me that the simplest solution (with complete fall back in that the source servers don't need to be touched (except maybe BES)) is to create everything new on new domain, flip user profiles to local on each computer, then join new domain and flip profiles again from local to new domain.  I have unfortuantely used global groups to protect file system resources on the source domains so that will work against me I believe in and ADMT migration?  - more fuel for brute force migration?

FeebleMinder:
There are XP SP3 32 bit, Vista Business 32 bit, and Windows 7 32/64 PCs to migrate
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478363
Simply creating new users/groups/OUs I think would be the simplest. Doing the export import like you said. And use the Moveuser tools mentioned above. (This tool seems to be the quick key to remapping profiles to new domain\username. Follow the simple few steps and wahlaa!)
0
 

Author Comment

by:jag-pens
ID: 36478382
Feebleminder,
These profile move tools that you mention, do they generically name the profile similar to the way the SBS profile tools work?  IE user Joe Shmoe with userid jshmoe in (XP/V1 profile) c:\documents and settings\jshmoe or in C:\Documents and Settings\MovedUser ?
0
 

Author Comment

by:jag-pens
ID: 36478395
Feebleminder,

Another question comes to mind - something I have not yet done thus the question.
With a Vista/Windows 7 (V2) profile (and I'm asking about local, not roaming profiles so perhaps the V2 is irrelevant), will I run into profile copy issues similar to what XP SP3 introduced where I need to take ownership of the profile to get a clean profile copy or do the tools you mention take care of all this?  Cheers
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478484
All this needs to be done with a Local Admin Acct!

The move tool is controlled by you. You will type in the OldDomain\UserName and the NewDomain\UserName. No Generic. It will Pull down the new users SID from the NewDomain AD. Just follow the simple few Steps for each.

As far as Local Profile, it works exactly the same as domain to domain.
0
 

Author Comment

by:jag-pens
ID: 36478492
Feebleminder,

Have you used this?  What about little gotchas like Blackberry Desktop backup files that have warped permissions - usually stopping a copy in it's tracks (.ipd file)?
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478525
Yes I have used this on my last server upgrade from SBS 2003 to SBS 2008 and it has worked without a glitch.

Question I should have asked; Are you moving these profiles to another computer or are they staying on the same computers? Not that there is a whole lot of difference for the profile, only referring the the Blackberry file in question.
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36478531
If that is the  only  issue you are looking at is the .ipd file for blackberry, just have the users change the save location file to a share or C:\ and perform a backup before migrating users/computers.
0
 
LVL 5

Accepted Solution

by:
Feebleminder earned 500 total points
ID: 36478536
These two moveuser tools mainly change the NTUSER.DAT file to the newdomain
0
 

Author Comment

by:jag-pens
ID: 36478577
Feebleminder,

Re: 36478525 - no profiles will be flipped on the same PCs, then into the new domain.
Upon further reflection, I think it best from the perspective of minimizing user disruption, to just move data to the new domain this weekend, I need to have a static public ip in place and I can't get there until Wednesday (I was planning on moving to a hosted anti-spam service to move the mail flow both inbound and outbound to work around that but I have around 20 Outlook Anywhere target users and I would have to use a dynamic dns pointer in place that I would not want as a permanent solution, thus necessitating two changes instead of one).

Still, I think this route that we've outlined today for 40 users on the ground locally, makes the most sense rather than spending a whole lot of time developing a migration plan, testing it for each o/s and likely running into glitches anyway.

Thanks for your time!  I'm going to award the solution to Feebleminder - that may seem unfair to Damag3d since I'm leaning towards a 'KISS' solution but Feebleminder has spent more time and has been more involved. - Thaks again for everybody's input!
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36478681
Check Exchange live export/import tool from this site. The same tool you can use for cross forest migration
http://www.clickzones.net/ 
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question