Solved

User impact when migrating from the old AD domain into the new AD domain ?

Posted on 2015-02-08
7
556 Views
Last Modified: 2015-02-08
Folks,

Before I'm going ahead with the plan to migrate the AD from one domain to another using ADMT, I just wanted to know and cover all of the bases and possibilities of what is going to happen from the user perspective ?

1. What happened to the AD domain selection or dropdown that the user usually select during the Workstation or Windows Server logon process? Does the user account will be the same  with the AD domain label difference ?

2. What happened to the user who is not logged off to the workstation, would they be able to log off and login as normal or their account / desktop will be broken ?

3. Do I have to manually exit the domain and then rejoin the new domain for the servers and the workstation ?

I need to know if the user will experience down time or anything that they need to be aware of the difference.

Note: There is no Exchange Server to worry about in this old domain.
0
Comment
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:Scobber
Scobber earned 100 total points
ID: 40596731
your computers should default to the domain they are joined to, however you can use domain2\username to force selection to the second domain. Also it is good practice to use the user principal name to login to workstations eg username@fqdn, additional upn's can be provisioned using AD Sites and services or AD domains and trusts
http://support.microsoft.com/kb/243280
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40596772
ok, so in this case the user should not need to change their way of work with the new domain migration ?

what about the files of the users in the old file server when the old AD domain is decommissioned ?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 400 total points
ID: 40597048
I guess this is the continuation question to last question

OK
To answer your questions:

1 When you migrate users, after migration I guess you need to select all migrated users in target domain, and go to there properties and change UPN to reflect to new domain UPN from account tab, because users will migrate there own UPN as well to new domain
For Ex: Source domain is contoso.com and user is user1 @contoso.com
after you migrate user to target.com, still it will show user1@contoso.com which you need to change to user1@target.com
From Vista onwards domain is not showing by default at logon, you need to type target\user 1st time which will get cached then for next logons
Migrated user will carry all attributes including SID History which is useful in maintaining co-existence such as accessing file server in source from parent

2 & 3: There no question of user logoff and logon, ADMT will migrate machine from source to target along with user profiles
What this will do, ADMT will push agent on workstation, translate user profiles, shares, registry permissions from source to corresponding target user and finally disjoin machine from source and join it to target domain and reboot the same.
Post reboot target user will get old profile as it is back, so practically end user will not see any difference except target\user during logon.
The process is same for workstations and servers

Domain migration use concept called SID History.
while migrating users and groups you will migrate there SID as SID History to target users and groups, more even due to this SID History, source accounts groups membership in source domain is also automatically get translated \ carry forwarded to target domain provide that groups are already migrated
After that you disable SID filtering and enable SID History over domain trust
As a fact during co-existence migrated users can access their data on old domain file servers via associated SID History, When target user tries to access his data in old domain, file server looks for his old domain SID as SID History and grant same access to target user as source user
Like I said in earlier post. please setup lab to test all scenarios, because its may not possible to explain each and every term with this communication media
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40597336
Thakns Mahesh for the complete reply. I assumethat the reboot on the workstation can be scheduled or is it automatically rebooted at random ?

So in this case do I need to do anything on the file server to resume user access to their files after the server is installed with the ADMT agent and then disjointed and rejoined on the new domain ?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40597683
No, you can't schedule reboot of workstations, after agent operation is finished, machine will be rebooted after predefined delay (minimum 1 Minute) to maximum 10 minutes I guess.
Post reboot machine will be part of target domain

Before migrating file server:
U should migrate all source groups with SID History
Then migrate all users with SID History and "Fix group membership option", this will ensure that target user will have same group membership as source
After that you will migrate all computer objects
After that you will migrate file server just like normal computer and you should be fine. Due to SID History file server access will be retained during co-existence
Post migration file server source domain ACL will either replaced \ merged with target domain ACL depending upon what options you choose

If you are migrating file server after all users and computers migration gets finished, you can migrate file server with replace mode
If you are migrating file server in between before completing all user and computer migration, you should migrate file server with Merge mode so that post file server migration remaining source users will retain there access to file server which is now part of target domain.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40597689
Cool, many thank you mahesh for the detailed explanation, i trully appreciate your time to reply to my thread.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40597692
Its my pleasure

Thanks
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now