• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

migrating to a new Windows domain from a damaged old one

Hi,

I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else.  I'd like to start fresh with a new 2008 Domain controller if possible.

Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain.  The remaining problem is all the security settings when the SID changes.  That would be a pain in the ass going through all of the services on each machine.

Is there a way to preserve the SID and apply it to the new DC?

--Ben
0
Ben Conner
Asked:
Ben Conner
  • 5
  • 3
1 Solution
 
pablito70Commented:
Basically steps are:

Prepare the domain with adprep tool coming from the winsrv 2k8 DVD then add the winsrv 2k8 as
member server to the domain.

Make sure that DNS on 2k DC have AD integrated zones ( should be by default ) then run dcpromo on new winsrv 2k8 and configure it as DNS server and wait for replication.

Then move the 5 FSMO roles to the new server, make it Global catalog server.

Reconfigure workstations to use the new server for DNS.

Use robocopy from MS resource kit for copy the files including the permissions onto new srv 2k8.

If this is the first time , read carefully docs and perform a total backup twice.
HTH
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Can't add the new DC; the 2000 installation is too damaged.  Adprep chokes.  It's lost all policies, etc.

About the only thing still intact on it is the list of computers and user accounts.

That's why I was leaning toward starting fresh.

So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?

Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.

--Ben
0
 
pablito70Commented:
You can try with LDIFDE which is a tool for import/export AD objects between domains.

Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.

For exporting from your damaged domain:

ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"


For importing on new domain:

ldifde -i -f ExportOU.ldf -s Server2k8

Its only an example , take care from docs.
HTH
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Ben ConnerCTO, SAS developerAuthor Commented:
New logins would mean I'd have to go through all the services, folders, etc. and re-assign the rights, etc.?  If so, I was hoping to avoid that if possible.

--Ben
0
 
pablito70Commented:
I think so. For what I performed in the past, importing users from LDIFDE onto a new domain, when clients logon first time its as new local user so the local profile will be initiliazed once again.

There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.

Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).

Did you tried to rebuild the AD database or checks what's going wrong ?

My 2 cents
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Hi Pablito70,

The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :)  I tend to use the terminology at times when that isn't what it is any longer.  My apologies.

Yes, I brought in a very gifted Windows master to look things over.  She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.  

I've run out of time today to explore this option, and have a day job tomorrow.  Will have to visit it again tomorrow evening and try what you suggest.

Thanks!

--Ben
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Just a footnote to this question; I finally had MS paid tech support clean up the mess.  It was ugly and presented an interesting challenge to the young man who got the call.  I can't remember now how many things he had to unwind, but it was a lot.  Got it done though.  impressive.
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
My comment was that I had to get paid tech support to unwind an especially ugly situation.  Well beyond my ability to accurately describe it to the EE community.  Sometimes you just have to bring someone in to fix stuff.  

Which is pretty cool now that EE has that as an option.  Way to go! :)

--Ben
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now