Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

migrating to a new Windows domain from a damaged old one

Posted on 2013-11-03
8
Medium Priority
?
163 Views
Last Modified: 2014-07-26
Hi,

I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else.  I'd like to start fresh with a new 2008 Domain controller if possible.

Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain.  The remaining problem is all the security settings when the SID changes.  That would be a pain in the ass going through all of the services on each machine.

Is there a way to preserve the SID and apply it to the new DC?

--Ben
0
Comment
Question by:Ben Conner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:pablito70
ID: 39620092
Basically steps are:

Prepare the domain with adprep tool coming from the winsrv 2k8 DVD then add the winsrv 2k8 as
member server to the domain.

Make sure that DNS on 2k DC have AD integrated zones ( should be by default ) then run dcpromo on new winsrv 2k8 and configure it as DNS server and wait for replication.

Then move the 5 FSMO roles to the new server, make it Global catalog server.

Reconfigure workstations to use the new server for DNS.

Use robocopy from MS resource kit for copy the files including the permissions onto new srv 2k8.

If this is the first time , read carefully docs and perform a total backup twice.
HTH
0
 

Author Comment

by:Ben Conner
ID: 39620155
Can't add the new DC; the 2000 installation is too damaged.  Adprep chokes.  It's lost all policies, etc.

About the only thing still intact on it is the list of computers and user accounts.

That's why I was leaning toward starting fresh.

So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?

Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620302
You can try with LDIFDE which is a tool for import/export AD objects between domains.

Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.

For exporting from your damaged domain:

ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"


For importing on new domain:

ldifde -i -f ExportOU.ldf -s Server2k8

Its only an example , take care from docs.
HTH
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Ben Conner
ID: 39620393
New logins would mean I'd have to go through all the services, folders, etc. and re-assign the rights, etc.?  If so, I was hoping to avoid that if possible.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620624
I think so. For what I performed in the past, importing users from LDIFDE onto a new domain, when clients logon first time its as new local user so the local profile will be initiliazed once again.

There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.

Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).

Did you tried to rebuild the AD database or checks what's going wrong ?

My 2 cents
0
 

Author Comment

by:Ben Conner
ID: 39620682
Hi Pablito70,

The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :)  I tend to use the terminology at times when that isn't what it is any longer.  My apologies.

Yes, I brought in a very gifted Windows master to look things over.  She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.  

I've run out of time today to explore this option, and have a day job tomorrow.  Will have to visit it again tomorrow evening and try what you suggest.

Thanks!

--Ben
0
 

Accepted Solution

by:
Ben Conner earned 0 total points
ID: 40004474
Just a footnote to this question; I finally had MS paid tech support clean up the mess.  It was ugly and presented an interesting challenge to the young man who got the call.  I can't remember now how many things he had to unwind, but it was a lot.  Got it done though.  impressive.
0
 

Author Closing Comment

by:Ben Conner
ID: 40221092
My comment was that I had to get paid tech support to unwind an especially ugly situation.  Well beyond my ability to accurately describe it to the EE community.  Sometimes you just have to bring someone in to fix stuff.  

Which is pretty cool now that EE has that as an option.  Way to go! :)

--Ben
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question