Solved

migrating to a new Windows domain from a damaged old one

Posted on 2013-11-03
8
144 Views
Last Modified: 2014-07-26
Hi,

I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else.  I'd like to start fresh with a new 2008 Domain controller if possible.

Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain.  The remaining problem is all the security settings when the SID changes.  That would be a pain in the ass going through all of the services on each machine.

Is there a way to preserve the SID and apply it to the new DC?

--Ben
0
Comment
Question by:Ben Conner
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:pablito70
ID: 39620092
Basically steps are:

Prepare the domain with adprep tool coming from the winsrv 2k8 DVD then add the winsrv 2k8 as
member server to the domain.

Make sure that DNS on 2k DC have AD integrated zones ( should be by default ) then run dcpromo on new winsrv 2k8 and configure it as DNS server and wait for replication.

Then move the 5 FSMO roles to the new server, make it Global catalog server.

Reconfigure workstations to use the new server for DNS.

Use robocopy from MS resource kit for copy the files including the permissions onto new srv 2k8.

If this is the first time , read carefully docs and perform a total backup twice.
HTH
0
 

Author Comment

by:Ben Conner
ID: 39620155
Can't add the new DC; the 2000 installation is too damaged.  Adprep chokes.  It's lost all policies, etc.

About the only thing still intact on it is the list of computers and user accounts.

That's why I was leaning toward starting fresh.

So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?

Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620302
You can try with LDIFDE which is a tool for import/export AD objects between domains.

Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.

For exporting from your damaged domain:

ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"


For importing on new domain:

ldifde -i -f ExportOU.ldf -s Server2k8

Its only an example , take care from docs.
HTH
0
 

Author Comment

by:Ben Conner
ID: 39620393
New logins would mean I'd have to go through all the services, folders, etc. and re-assign the rights, etc.?  If so, I was hoping to avoid that if possible.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620624
I think so. For what I performed in the past, importing users from LDIFDE onto a new domain, when clients logon first time its as new local user so the local profile will be initiliazed once again.

There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.

Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).

Did you tried to rebuild the AD database or checks what's going wrong ?

My 2 cents
0
 

Author Comment

by:Ben Conner
ID: 39620682
Hi Pablito70,

The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :)  I tend to use the terminology at times when that isn't what it is any longer.  My apologies.

Yes, I brought in a very gifted Windows master to look things over.  She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.  

I've run out of time today to explore this option, and have a day job tomorrow.  Will have to visit it again tomorrow evening and try what you suggest.

Thanks!

--Ben
0
 

Accepted Solution

by:
Ben Conner earned 0 total points
ID: 40004474
Just a footnote to this question; I finally had MS paid tech support clean up the mess.  It was ugly and presented an interesting challenge to the young man who got the call.  I can't remember now how many things he had to unwind, but it was a lot.  Got it done though.  impressive.
0
 

Author Closing Comment

by:Ben Conner
ID: 40221092
My comment was that I had to get paid tech support to unwind an especially ugly situation.  Well beyond my ability to accurately describe it to the EE community.  Sometimes you just have to bring someone in to fix stuff.  

Which is pretty cool now that EE has that as an option.  Way to go! :)

--Ben
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now