Need to migrate an acquired Active Directory Domain into ours

Posted on 2013-06-04
Medium Priority
Last Modified: 2015-02-05
After an Acquisition we now need to migrate the new Active directory domain into ours. We already have a data connectoin between the two offices but they are working completely independently with their own exchange email, active directory system, file sharing system, etc. The new office is running Domain function level 2003 and we are running domain function level 2008r2. I have already built a physical Windows 2008r2 server that I plan to drive up to the new office and install it as a DC that doubles as a file server. I know I will have to set all the workstations to log into our domain. I need all advice, scripts and ariticles that may assit me with this project. I know acquistions are fairly common these days and am hoping there are pre written scripts and procedures that may help me with this process. Exchange will have to be migrated over from their Exchange 2003 to our Exchange 2007, but that may be a question for the exchange section of EE. All advice on active directory migration is appreciated.
Question by:Thor2923
  • 2
LVL 15

Accepted Solution

Rob Stone earned 2000 total points
ID: 39220169
It's a tough one to answer in one attempt, I suspect you'll want to ask more questions as you go along but here are some thoughts to get you thinking.

There are some questions you'll need to answer as well to get the best responses from the EE community.
1)  Is there a trust relationship setup between the two domains?
2) Will the new company reside in the same forest on a temporary basis or is this being decommissioned?
3) How many client machines/servers do you need to migrate to your domain?
4) How many users do you need to migrate?
5) What are your timescales for implementing the project?
6) Are you doing a phased migration or a big bang approach?

I've been involved in one acquisition and there was no domain trust setup as the domain was managed by a 3rd party and the network security implications made this too difficult.

In our scenario, we had to create a new user account for each employee/service account/etc.

We used robocopy to migrate the data and subinacl to change the permissions from the old domain to the new domain (you can do this in notepad!), however, the File Server Migration Tool may be worth checking for your scenario.

All application servers were installed on fresh servers and new hardware so we had a clean slate.

Obviously, you need to do a due diligence first. I would start off by looking at:
Security Groups - DLG/GG/UG
Run scans on the file servers to check the permissions (hopefully it's not too much of a mess!)
OU's & GPO's
Certificate Authority - check if this is in place and what impact to systems this change will have.
Client OS levels - make sure you don't fall into any problems with aged OS's on a 2008R2 Forest/Domain Functional Level
Remote Access

Basically, you need to look at every Windows Role & Feature that is in place and plan what will happen when you change the domain (not all Roles & Features will be affected).

If you have the luxury of a few spare servers (or a fairly decent single server), setup a test lab and practice before you do the live migration.

Author Comment

ID: 39220287
I think we are talking about 20 users. I am hoping to bring over one or two for a few days and gradually add the rest. You are right, I will probably be on here every couple days with a new question or issue once I get started. I am not sure what you mean by "scans on the files servers" I know I need to be careful about permissions but did not know there were scans to make the job easier. There is only one file server and it is Windows 2000 which is no longer allowed to even exist on our domain, so I was just going to copy all the folders over to the DC/File Server I am driving up there and map the newly created users accordingly.
LVL 15

Expert Comment

by:Rob Stone
ID: 39222095
Sorry, poor wording on my part.

I meant to run something like ICACLS on folders to get the permissions so you can map them to the new user id's.

DumpACL was helpful for me although it does take ages to run (especially remotely).

If you run it on the file server, it may be best to kick off the scan after work hours as I'm not sure how much extra CPU/disk load it will create.

Expert Comment

by:Senior IT System Engineer
ID: 40593009
So what steps or approach that you end up with ?

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question