Angela Owens
asked on
Domain Migration
I inherited a mess when the guy before me was fired. None of his work was documented and I have been playing CSI since I started here. We are in the process of migrating from physical laptops to thin clients and all VMs. We are moving from one domain (test.org) to one parent and two children (Test.org >Test1.org & test2.org). Since the old and new domains are named the same I cannot establish a trust and it is going to be restructured different. The file structure on the file server will be the same, I was contemplating just removing the file server from the old domain and adding it to the new one. I realize that I will have to assign the permissions manually to all of the data though. What would be the best way to complete this as far as user accounts, files, permissions, exchange server, etc? Right now I am at a loss and I was just going to recreate all of the user accounts. We only have about 40 users. Also right now we use folder redirection for the desktop, my documents and favorites. I have already create a group policy in the new domain, and it works, but when the user logs in for the first time it creates the folder. Is there a way to create the folder, put data in it, and then have the user synch up with it and already have the right permissions? I tested it and all it did not work. All of the VMs will run windows 7 and the servers are 2008R2.
ASKER
From everything I have read you need a trust to be established to use ADMT and I cannot establish one because the old and new domains have the same name. Is that true? When I try it , it says that a trust cannot be established.
That's correct. You have to establish a trust between the Active Directory forests. The 2 Active Directory forests cannot have the same name. They should be different for example domain.local or domain1.local. Active Directory forests with same name will cause all sorts of issues, DNS, netlogon etc.
ASKER
Is there a way to migrate stuff without using the ADMT? I cannot rename either domain at this point. The current one is in use and the new one needs to be set up. We are going to have a day or two to take down the current one and bring up the new one. If migrate isn't the right word, then export and reimport?
Just start again with new one. How many domain controllers do you have in the new Active Directory forest? You obviously haven't migrated anything yet. So I would start again with the new forest by demoting the domain controller or domain controllers to member servers and then create the new Active Directory forest with a different name. This will solve all your problems.
If you choose not to do it this way, your workload will be trebled and a lot of manual intervention will be required.
Regards,
JBond2010
If you choose not to do it this way, your workload will be trebled and a lot of manual intervention will be required.
Regards,
JBond2010
ASKER
I have contemplated that, just starting fresh. We haven't migrated anything yet, but the new domain is in place. We have two domain controllers in the parent and two in each child. We also have vSphere, a file server, and Horizon View Administrator, and a few other servers and it all works. I am a bit scared to start fresh because I am not that experienced and I don't want to break something and not be able to fix it. Is there a way in powershell to export the user accounts and reimport it?
You haven't created a new Active Directory forest? You've created a child domain in an existing Active Directory forest? Please confirm thank you.
Regards,
JBond2010
Regards,
JBond2010
ASKER
It was already in place when I started. It is a parent domain and two child domains. But the old domain and new one are named the same thing. In our new domain, the parent is going to have the servers and then the children will have the user accounts, etc. Right now everything is on in one domain (our current working domain). We will have a few days of downtime, to migrate everything, when no users will be here and then we plan to bring it up in the new environment. I am trying to just get it all built at the moment. But I have not done any user accounts, exchange, or moved the data over yet.
By default is this scenario, there are 2 way transitive trusts. So the parent domain trusts the 2 child domains and the 2 child domains trust the parent. This is how it works in Active Directory.
Correct me if I'm wrong. Did you say that the Parent domain does not trust the new child domain?
Correct me if I'm wrong. Did you say that the Parent domain does not trust the new child domain?
ASKER
The new parent domain and child domains have a trust going on. But I cannot establish a trust between our current domain or old domain and the new parent because they are named the same thing.
When you say the new domain, is this a new Active Directory forest or a new child domain of the existing Active Directory?
Do you have 2 separate Active Directory forests?
Do you have 2 separate Active Directory forests?
ASKER
I am sorry I may have not explained well. They are not part of any forests. Just two separate domains. The old and new are not joined in any way. I am not sure why the guy before me did it this way and why he just didn't create two new children under the existing domain. But my dilemma is how to get all the accounts recreated in the new domain and the mail moved.
You have 2 separate Active Directory forests then.
ASKER
yes. I assumed they were domains, and not forests, sorry. But yes they are separate.
You have 2 separate Active Directory forests with the same name. Because they share the same name space, this is why you cannot create a forest trust.
What you need to do is, with the new forest demote the domain controllers thus removing Active Directory and then promote them again to domain controllers creating a new name space different from the old Active Directory forest.
Then create a 2 way Active Directory forest trust. User ADMT tool to migrate over the user and computer accounts and also copy over SID history and ACL permissions. You can then user robocopy to copy over the data and also the file and folder permissions. I have provided a link below on how to use the ADMT tool.
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
Regards,
JBond2010
What you need to do is, with the new forest demote the domain controllers thus removing Active Directory and then promote them again to domain controllers creating a new name space different from the old Active Directory forest.
Then create a 2 way Active Directory forest trust. User ADMT tool to migrate over the user and computer accounts and also copy over SID history and ACL permissions. You can then user robocopy to copy over the data and also the file and folder permissions. I have provided a link below on how to use the ADMT tool.
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
Regards,
JBond2010
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for Angela Owens's comment #a40488827
for the following reason:
Since the new and and old domain shared the same name a trust could not be established. Renaming either domain was not an option. If i could then I could have used the ADMT.
Accepted answer: 0 points for Angela Owens's comment #a40488827
for the following reason:
Since the new and and old domain shared the same name a trust could not be established. Renaming either domain was not an option. If i could then I could have used the ADMT.
Hi Angela,
That's what I was trying to explain to you. You needed to recreate your environment is order to use the ADMT tool.
Regards,
JBond2010
That's what I was trying to explain to you. You needed to recreate your environment is order to use the ADMT tool.
Regards,
JBond2010
http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
Also, for migrating files and folders to keep permissions. Please refer to the link below.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/84e62edf-d845-4ee3-95bf-695cc54f05fa/migrating-filesfolders-across-forests?forum=winserverMigration
Regards,
JBond2010