Solved

migrating to a new Windows domain from a damaged old one

Posted on 2013-11-03
8
160 Views
Last Modified: 2014-07-26
Hi,

I have a damaged Windows 2000 PDC that has Users and Computer defined still but not much else.  I'd like to start fresh with a new 2008 Domain controller if possible.

Very few users exist in the domain; I could create those if needed, as well as re-join the servers to the new domain.  The remaining problem is all the security settings when the SID changes.  That would be a pain in the ass going through all of the services on each machine.

Is there a way to preserve the SID and apply it to the new DC?

--Ben
0
Comment
Question by:Ben Conner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:pablito70
ID: 39620092
Basically steps are:

Prepare the domain with adprep tool coming from the winsrv 2k8 DVD then add the winsrv 2k8 as
member server to the domain.

Make sure that DNS on 2k DC have AD integrated zones ( should be by default ) then run dcpromo on new winsrv 2k8 and configure it as DNS server and wait for replication.

Then move the 5 FSMO roles to the new server, make it Global catalog server.

Reconfigure workstations to use the new server for DNS.

Use robocopy from MS resource kit for copy the files including the permissions onto new srv 2k8.

If this is the first time , read carefully docs and perform a total backup twice.
HTH
0
 

Author Comment

by:Ben Conner
ID: 39620155
Can't add the new DC; the 2000 installation is too damaged.  Adprep chokes.  It's lost all policies, etc.

About the only thing still intact on it is the list of computers and user accounts.

That's why I was leaning toward starting fresh.

So is there any way to retain the SID from the old DC if I were to give the new server the same domain name?

Sorry if I'm not quite using the correct terminology; I don't know enough about the process even to be dangerous.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620302
You can try with LDIFDE which is a tool for import/export AD objects between domains.

Sid may not kept, i suspect, so I think to have rejoin all computers and new logons are considered as new domain users for local profiles.

For exporting from your damaged domain:

ldifde -f Exportuser.ldf -s Server2k -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"


For importing on new domain:

ldifde -i -f ExportOU.ldf -s Server2k8

Its only an example , take care from docs.
HTH
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:Ben Conner
ID: 39620393
New logins would mean I'd have to go through all the services, folders, etc. and re-assign the rights, etc.?  If so, I was hoping to avoid that if possible.

--Ben
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39620624
I think so. For what I performed in the past, importing users from LDIFDE onto a new domain, when clients logon first time its as new local user so the local profile will be initiliazed once again.

There is the ADMT v3.1 tool for helping migration and preserve the SID history, but if your domain is damaged, I'm suspected you can't use this tool.

Why your are talking about PDC ? Your 2K server should be a DC with FSMO roles (and Global Catalog designated).

Did you tried to rebuild the AD database or checks what's going wrong ?

My 2 cents
0
 

Author Comment

by:Ben Conner
ID: 39620682
Hi Pablito70,

The last time I had any formal exposure to Windows domain controller was when there were only PDC and BDC servers for domains. :)  I tend to use the terminology at times when that isn't what it is any longer.  My apologies.

Yes, I brought in a very gifted Windows master to look things over.  She found out there were key files missing crucial to rebuilding the AD that would be very tough to do without them.  

I've run out of time today to explore this option, and have a day job tomorrow.  Will have to visit it again tomorrow evening and try what you suggest.

Thanks!

--Ben
0
 

Accepted Solution

by:
Ben Conner earned 0 total points
ID: 40004474
Just a footnote to this question; I finally had MS paid tech support clean up the mess.  It was ugly and presented an interesting challenge to the young man who got the call.  I can't remember now how many things he had to unwind, but it was a lot.  Got it done though.  impressive.
0
 

Author Closing Comment

by:Ben Conner
ID: 40221092
My comment was that I had to get paid tech support to unwind an especially ugly situation.  Well beyond my ability to accurately describe it to the EE community.  Sometimes you just have to bring someone in to fix stuff.  

Which is pretty cool now that EE has that as an option.  Way to go! :)

--Ben
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question