RE: [ActiveDir] Migration Dilemma

[Nicolas Blank]

I have used Quest’s migratory product in similar situations where the user base was populated, but all we wanted was symbolic linkage for groups, reacling and sidhistory, without disturbing what was there already, and nothing “broke”, including mail. I’ve also done a non ADC migration’s using the same tool with great success.   If you have to script, then doing the group sync can be done, but the reacling on anything more than 2 machines is going to bite you badly, if you’re scripting, a ACE append for every “old” sid and an ACE cleanup after co-existence is done. Even with sidHistory, at some stage you need to re-acl and drop the old ACE’s.   If you can afford to wipe out and try again, suggest using a third party tool like migrator, as I’ve done “green field” migrations manually and with tools, and I’d rather take the tool route any day, especially if I can choose to NOT use the ADC ;)   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morris, Adam Sent: 15 April 2004 03:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Migration Dilemma   Hunter, The user accounts were all created by a script and an email was sent to the new account so it became a mailbox.  Permissions were then assigned to the mailbox to allow the NT 4 domain account owner rights to the mailbox so they are still authenticating with the old domain controllers.  There is an Exchange 5.5 and ADC in the mix but it is at another site so hopefully this won’t cause any issues.     Basically we just want to migrate the groups and group memberships over as well as all the old file permissions so we can decommission the old domain.  Initially we had thought the ADMT was going to be able to help us by allowing us to tie the SID from the old account to the new account, but it looks like that is only an option if you don’t already have the user accounts created.     Thank you for the response! Adam     From: "Coleman, Hunter" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Migration Dilemma Date: Wed, 14 Apr 2004 09:50:16 -0600 Reply-To: [EMAIL PROTECTED] What are the desired results?   How were the user accounts and mailboxes created in the new domain initially? Are the users authenticating against the mailboxes with their NT 4 accounts, or with the AD accounts? Is there an Exch 5.5 organization and an ADC in the mix?   Hunter   -----Original Message----- From: Morris, Adam [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 14, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Migration Dilemma   Hello,   We are in the process of planning our migration from NT 4 to Windows 2000 AD.  Last year we deployed a minimal AD site in order to roll-out Exchange 2000 for our users.  User accounts and mailboxes were created in the new domain but no users were migrated.  Some initial testing with the ADMT indicates that it will not produce the desired results.   At this time I can see 2 possible plans of action and I'm looking for some better options.  (Like maybe another way to migrate the SID's to the new accounts in AD or a way to get ADMT to update the existing accounts instead of replacing them).   Plan 1:  Back up all the user mailboxes, wipe the AD accounts, use ADMT to move all the accounts/gropus, and then restore mailbox data.   Plan 2:  Spend the time to develop custom scripts that will add/create the appropriate groups and script as much of the migration as possible.   Currently we have close to 150 groups for around 400 users and multiple file servers so the thought of doing a manual migration process is pretty painful.  If anybody has any suggestions or thoughts I'd much appreciate the feedback.   Thank you! Adam Morris List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---------------------------------------------------------