migrating to a new Windows domain from a damaged old one
Hi,
I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else. I'd like to start fresh with a new 2008 Domain controller if possible.
Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain. The remaining problem is all the security settings when the SID changes. That would be a pain in the ass going through all of the services on each machine.
Is there a way to preserve the SID and apply it to the new DC?
--Ben
I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else. I'd like to start fresh with a new 2008 Domain controller if possible.
Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain. The remaining problem is all the security settings when the SID changes. That would be a pain in the ass going through all of the services on each machine.
Is there a way to preserve the SID and apply it to the new DC?
--Ben
ASKER
Can't add the new DC; the 2000 installation is too damaged. Adprep chokes. It's lost all policies, etc.
About the only thing still intact on it is the list of computers and user accounts.
That's why I was leaning toward starting fresh.
So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?
Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.
--Ben
About the only thing still intact on it is the list of computers and user accounts.
That's why I was leaning toward starting fresh.
So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?
Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.
--Ben
You can try with LDIFDE which is a tool for import/export AD objects between domains.
Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.
For exporting from your damaged domain:
ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)
For importing on new domain:
ldifde -i -f ExportOU.ldf -s Server2k8
Its only an example , take care from docs.
HTH
Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.
For exporting from your damaged domain:
ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)
For importing on new domain:
ldifde -i -f ExportOU.ldf -s Server2k8
Its only an example , take care from docs.
HTH
ASKER
New logins would mean I'd have to go through all the services, folders, etc. and re-assign the rights, etc.? If so, I was hoping to avoid that if possible.
--Ben
--Ben
I think so. For what I performed in the past, importing users from LDIFDE onto a new domain, when clients logon first time its as new local user so the local profile will be initiliazed once again.
There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.
Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).
Did you tried to rebuild the AD database or checks what's going wrong ?
My 2 cents
There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.
Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).
Did you tried to rebuild the AD database or checks what's going wrong ?
My 2 cents
ASKER
Hi Pablito70,
The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :) I tend to use the terminology at times when that isn't what it is any longer. My apologies.
Yes, I brought in a very gifted Windows master to look things over. She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.
I've run out of time today to explore this option, and have a day job tomorrow. Will have to visit it again tomorrow evening and try what you suggest.
Thanks!
--Ben
The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :) I tend to use the terminology at times when that isn't what it is any longer. My apologies.
Yes, I brought in a very gifted Windows master to look things over. She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.
I've run out of time today to explore this option, and have a day job tomorrow. Will have to visit it again tomorrow evening and try what you suggest.
Thanks!
--Ben
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My comment was that I had to get paid tech support to unwind an especially ugly situation. Well beyond my ability to accurately describe it to the EE community. Sometimes you just have to bring someone in to fix stuff.
Which is pretty cool now that EE has that as an option. Way to go! :)
--Ben
Which is pretty cool now that EE has that as an option. Way to go! :)
--Ben
Prepare the domain with adprep tool coming from the winsrv 2k8 DVD then add the winsrv 2k8 as
member server to the domain.
Make sure that DNS on 2k DC have AD integrated zones ( should be by default ) then run dcpromo on new winsrv 2k8 and configure it as DNS server and wait for replication.
Then move the 5 FSMO roles to the new server, make it Global catalog server.
Reconfigure workstations to use the new server for DNS.
Use robocopy from MS resource kit for copy the files including the permissions onto new srv 2k8.
If this is the first time , read carefully docs and perform a total backup twice.
HTH