Link to home
Start Free TrialLog in
Avatar of CCtech
CCtechFlag for United States of America

asked on

ADMT Intra Forest migration questions

Hi All, I am working on a domain migration. In the past I have used ADMT. I am familiar with the setup and use of ADMT from previous migrations, and am comfortable with the process of migrating groups, users, and computers from an old forest to a new forest.

The process works well, since I can migrate all groups and users in advance since ADMT copies them over. They still exist on the source domain. This allows me to migrate everything over at once, then I can work on smaller groups of computers at a time. For example, I can migrate over 1000 users and 200 groups, and the users can still actively work on their source domain. Once I migrate their computer from source to target domain, the next day they are logging in to the target. This I would do in groups of about 25 computers.

I am now working on an intra-forest migration from one domain to the other. I was not aware ADMT 'moves' accounts and groups rather than 'copies' them until my first test user on the environment. This was shocking to me, seeing the account deleted from source domain.

To specify the exact setup, the envinroment is as follows:

----

Target / New domain: somename.targetdomain.com

Source / Old domain: sourcedomain.com

There is a two way Tree Root transitive trust set up between the two.

----

Is there a way around this with intra forest migrations? I am looking for suggestions on how to go about the migration process now for thousands of users, since my original plan I have used in the past for inter forest migrations will not work in this scenario. Thanks in advance.
Avatar of Akhater
Akhater
Flag of Lebanon image

you have nothing to worry about you can move groups no issue you just need to be careful with the group type (Global or Domain local etc...) since it is in the same forest it doesnt' really matter the group is in which domain
Avatar of CCtech

ASKER

Akhater, Can you clarify this please?  

Using my topology above;
----

Target / New domain: somename.targetdomain.com

Source / Old domain: sourcedomain.com

There is a two way Tree Root transitive trust set up between the two.

----

TestUser AD account is located in sourcedomain.com and so is his computer.
Testuser logs in to his computer as sourcedomain\testuser.
We migrate TestUser AD account from sourcedomain.com to somename.targetdomain.com.
The user's computer is still on source domain.com, when the user goes to log in to his computer as sourcedomain\testuser, you are saying is will still work even though his AD account no longer exists there?
SOLUTION
Avatar of Akhater
Akhater
Flag of Lebanon image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of CCtech

ASKER

Hi Mahesh, Thanks for this info; very useful. I understand ADMT is moving users in the intra forest migrations, I understand am familiar with SID history and all. I am curious if we can break the forest trust and reconfigure as an external trust. Is this a possibility? There are no dependencies on the target domain yet, it is currently an empty domain shell with only some DC's.
You are talking about single forest and breaking trust between domains in that forest?
How could you break the forest trust, that's not possible and totally not supported even if you delete $domain from directory partition
Also external trust is not possible in same forest as name express itself - "External" - which means domain outside your forest boundry, this is not your case

If you do not want to migrate users between same forest, establish new AD forest, but then you need to redesign your strategy and every single component in your strategy to reflect cross forest migration which you are familiar with

Mahesh.
Avatar of CCtech

ASKER

Understood Manesh, I agree but am just trying to think outside of the box. We will proceed ADMT and just have to cut over users and computers at the same time. It will just be less graceful is all. Thanks.