Solved

how to transfer users from Domain A to Domain B without trust

Posted on 2011-09-21
12
698 Views
Last Modified: 2012-06-27
Hello Domain A has 100 users. I want to transfer them to Domain B. The two domain controllers cannot communicate with each other as they have 10.x.y.z ip address. Thus i cannot create the trust.
Is there any other way to do this ?
0
Comment
Question by:c_hockland
12 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36578528
If both forests have no trust, you cannot migrate accounts, sorry. For that it's required forest trust and i.e. ADMT to do that job.
Account are objects with unique SIDs/GUIDs which cannot be recreated. During migration process, SIDs/GUIDs history is set up on an object. So, first of all, you need to have forest trust, DNS stub zone or conditional forwarders for those domains (DNS name resolution is required) and routing configured between those networks.

Regards,
Krzysztof
0
 
LVL 2

Expert Comment

by:sudheendra2001
ID: 36578868
You have to create trust explicitily, what making you to stop to do this let us know we will give solution for that. Without trust you can't do.
0
 
LVL 7

Expert Comment

by:ComputerBeast
ID: 36580358
Hi all,

Build out a new dc in your source domain and allow it to replicate properly, be sure that it is a DC/GC and DNS server.  Disconnect this DC from the current domain and expect to NEVER connect to this domain again.

Do a metadata cleanup of this dc, for cleanup refer to the article:

http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx

Move this DC to the new forest and now create a trust between the two domains with this newly created DC that was just removed.  You may need to seize the FMSO roles and then establish a trust and use ADMT to migrate across the accounts, etc...

If you can go this route, remember you won't be able to migrate across any of the machines and the permissions associated with the users since you didn't have the two joined at time.

If this doesn't pass regulatory issues then you will have to look at exporting your users with LDIFDE or something similar.

http://support.microsoft.com/kb/237677

Thank you
Anil
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:c_hockland
ID: 36590743
Ok , guys , many thanks for the great input.

I have the users in an excel sheet. Is there any tool that i can use to import them in to the new AD ?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36592289
There are many ways for that :) depends on your excel data format. You can do that using

CSVDE
LDIFDE
PowerShell
Or VB Script :)

Can you post some example of your excel file?

Krzysztof
0
 

Author Comment

by:c_hockland
ID: 36597029
besides the users , i need to import groups. Can i do this using the same method ?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598432
Yup, users and groups can be done this way using script. If you provide some example Excel document with fields I would prepare a syntax for you

Krzysztof
0
 

Author Comment

by:c_hockland
ID: 36598638
here is the file with one user.  1.csv
0
 

Author Comment

by:c_hockland
ID: 36598647
so to recap so as to make sure i havent ocnfused you more

i want to export all users under OU  first_ou

lets say i have one user Tom

Then i have 1 gorup called admins

I want to export this group and when i import it to the other domain i would like to have Tom as a member again , so i wont have to go and add Tom manually to this group.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598676
Yes, it is possible. I would suggest for that ldifde command
In domain A export users and groups using that tool and then import them in a domain B using the same tool.

Wait a second and I prepare syntax for that :)

Krzysztof
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36598818
OK, let's start :) try this

1) Log on into a Domain Controller in a domain where those groups are created
2) In command-line type this syntax to export their names to a text file

ldifde -f c:\groups.txt -d "ou=oldGroupslocation,dc=domain,dc=local" -r "(objectClass=Group)" -l "cn,groupType,objectClass" -j c:
ldifde -f c:\users.txt -d "ou=oldUserslocation,dc=domain,dc=local" -r "(objectClass=User)" -l "cn,givenName,sn,displayName,description,userAccountControl,employeeID,userPrincipalName,mail,objectClass,memberOf" -j c:

3) Copy groups.txt and users.txt  files to a Domain Controller in another domain, where you want to create groups (i.e. to C-Drive)
4) Log on into a DC for that domain where you copied text file
5) Edit a text file in a notepad. Fix dn line pointing to current OU structure in new domain. Press Ctrl+H and in Find what place ou=oldGrousplocation,dc=domain,dc=local and ou=oldUserslocation,dc=domain,dc=local and replace with new value ou=newlocation,dc=domain2,dc=local". Save changes.
6) Open command-line an use this syntax

ldifde -i -f c:\groups.txt
ldifde -i -f c:\users.txt

7) On a C-Drive you will have ldifde log, review it, if everything was created properly.
8) Run Active Directory Users and Computers snap-in to check if they really exist :)

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708300
Hi,

does this solution work for you? Maybe you need some other help?

Krzysztof
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question