asked on
moving machines from one domain to another
I'm just installing a new domain controller in a new forest with a new domain. THe problem is the users PC are in a simular domain. Without going into the hows and whys, the machines are in kkcps.local and the new domain is kk.local. How can I migrate the machine to the new domain without killing the profiles?
ASKER
OK great I didn't think about that but here's the kicker... They are running the domain on a Synology nas so can I migrate via that? And do I run the tool on the DC or the PC?
What do you mean by running the domain on a Synology NAS?
The Synology is not a domain, it can just use the information (users/groups) from a domain to manage security permissions on files/folders.
If a trust is done between the 2 forests, it is possible to convert or transform (by script) the existing security on the NAS.
=> You need to have the same users/groups on the 2 forests (migrated by ADMT for example).
ADMT can be installed on a workstation or a server, and even on a domain controller (usually the target).
But you should look all the implications of using this tool. Depending on the number of users/workstations, it can be a big project.
ASKER
The synology NAS have domain controller capabilities so they used it. I'm in the process of getting them off that. I think we are talking 7 PCs that's all
ASKER
OK how does that work? I guess you run this locally?
Download it and try it. You assign the profile you want to the user account. You just can't be signed in as the account you want to assign to or from. Takes about 30-60 seconds on average (though occasionally it can take a bit longer, especially if the user has a LOT of files in their profile. But for an average profile, takes a few seconds.
So, Synology uses "Samba" to "simulate" a domain and a domain controller.
In that case, you don't need ADMT that probably would not work correctly.
And for 7 computers, as indicated, you can use some scripting to reset the permissions and the profiles to the new domain (hoping it is now a real Windows Domain).
Using a .local wasn't a big problem before (Only some rare problems with Apple/Mac networks), but it is now highly recommended to a domain using a referenced extension (.Com, .info, .net, etc...) to avoid a lot of problem when buying and using public certificates.
=> So, use a (public) domain that you own.
ASKER
So do I first add the machine to the new domain? Or leave in the old domain and run the program?
For the software to work, it has to be able to identify the new account you want to assign to the profile. Therefore, you can only do it after you've joined the machine to the new domain. The software is small and easy to use. You would be well advised to do a quick test to familiarize yourself with how it works. I'm confident it will make sense and you'll be able to figure it out in minutes.
The one irritant I have with it is that it reboots your computer after you complete the transfer. You can abort the reboot if you keep an admin level command prompt open and type shutdown /a as soon as you see the prompt about a reboot. (It's not the worst thing to have happen, but sometimes I have other tasks I want to complete before waiting for a reboot to complete).
ASKER
Thanks. I'll be in the office tomorrow and let you know how it works. Thanks much
ASKER
Thanks much that tool worked perfectly!
So, you are moving between 2 Forests ?
The 2 domains are not in the same forest?
In fact, moving the computers between domain or forests is not really the problem.
Because, you have to configure a trust between the 2 forests/domains before being able to move computers.
You will need to install ADMT (or similar tool) to do this migration.
BUT, if you only migrate computers,
- the good news is that profiles are not killed,
- the bad news is that profiles are still attached and working with the source/original domain/forest.
So, to migrate profiles, you have to migrate Users and Groups (with their security) between the 2 forests.
=> In that case, ADMT can also help you to do that, and the migration of computers (clients/servers) can also be done with the tool, particularly for file servers.
If you simply move (or attach), the computers to the new domain. Old profiles are still on the disk, but you will have to use some (complex) scripts to change the permissions, and associate the new SID of the user to the old content/folders. And that is not easy.
If the user open a session with the new domain, by default, a new profile will be created. Only files from the old profile could be recoverable (if the user has the permission to access the old profile).