?
Solved

AD migration

Posted on 2013-12-12
8
Medium Priority
?
181 Views
Last Modified: 2013-12-30
Need to migrate AD with multiple domains.IS there any way by which we can migrate without admin access. One way is to build a new DC and create(migrate all resources belongs to AD) but not sure how we can comletely achieve this.
0
Comment
Question by:sivark14
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39713788
You absolutely need Admin accesses to do this. Think about it if you didn't then any user in your domain could perform tasks such as this. You need domain admin rights to perform and domain level tasks Enterprise to perform high level tasks at the forest level and if you are doing schema changes then you will require schema admin rights.

If you created a new forest with a new domain you still have to have domain/enterprise admin permissions as you will need to create a forest trust with the new domain and that privilege is required to have domain/enterprise admin rights.

Permissions required for specific tasks for migration. http://technet.microsoft.com/en-us/library/cc974398(v=ws.10).aspx

Will
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39713790
You can use Microsoft ADMT tool for cross domain resource migration

You must require appropriate admins access in resource domain for that

You can use delegated access for resource migration (i.e. you can avoid domain admins and high previlage groups)

Please check ADMT guide

http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

Mahesh
0
 

Author Comment

by:sivark14
ID: 39713812
Yes ofcourse we need admin access but I am finding a way to migrate without any kind of admin access. For example export all object details in domain and import manually or use any script. Thinking restoring system state to restore AD objects in the new forest domain and not do any trust relationship
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 38

Expert Comment

by:Mahesh
ID: 39713821
You cannot restore AD system state of one domain to another domain

You can export all object details and import it in new domain with csvde, Ds command tools etc

Then this is not a migration
If you want to do real migration, then ADMT is the only way

Check below links
http://www.petenetlive.com/KB/Article/0000794.htm

Mahesh
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39713828
A migration is much different than simply using powershell to export users/groups and import them into the other domain. You are basically just creating the object but none of the security principals will be tied to the users account once you have created them in the new domain.

Migration would be the best approach if you have proper credentials. If you do not then scripting with powershell doing an export of all users/groups etc and then import them in to the new domain. You will then have to manually setup all of the ACL's for the new domain moving the users back in the corresponding groups.

As for the trust after this is completed you will still need domain admin privileges in the forest root domain or enterprise admin rights to achieve this.

Will
0
 

Author Comment

by:sivark14
ID: 39713856
Is there any way to restore system state on new domain by having same domain name , SID value of the source domain so it will have the same configuration detail and restoration will work?

Thanks
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1000 total points
ID: 39713905
This is not achievable, and or not supported. The system state holds Active Directory info from the original domain, I don't know how you would go about using that and restore it into the new domain.

As stated there are a few things you can do that are supported and will work. If this is a production environment I would highly recommend that you proceed with either method. Trying to hack or work-a-round could just create more trouble than you are looking for, and may not even get your end results.

Will.
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39714185
Hello,
Using ADMT we can migrate. By the way, what version of AD are you try to migrate and to which version?
If you really want to know more about AD migration, I suggest you refer one of our MVP's site:http://www.sivarajan.com/admt.html
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question