RE: [ActiveDir] Ladies and Gentleman, A complex AD/Exchange issue.

[Nicolas Blank]

Title: Ladies and Gentleman, A complex AD/Exchange issue.

Sounds like a process winning over technology issue here: A inter-forrest migration tool that will support a migration with Sid-history and offer an ACL cleanup should do the job. What you’re looking for is a)       Transparency for your roving users b)       Consolidated accounts c)       ACL cleanup   I would advocate a Sid-history type consolidation (unless you work for gov or fin) as it gives you a reasonable time windows to find and clean your acl’s and then GET RID OF THEM, once they’re done with. Exchange accounts won’t be to much of a problem, since you’re “migrating” mail, from one account to another, and I would imagine you’ve done a bit of work so that only one mailbox is authoritive for mail delivery at any one time, or that you’re syncing them constantly (unlikely). Again a good migration tool will help you here, ideally what you’re looking for is pick the authorative mailbox, sync the mail data over and cut the mailbox over when it’s done and drop it.   Although you can go n awe full long way if you have some script knowledge, I would advocate a toolset here, since a)       object numbers in excess of 1000 users b)       a vendor to blame and support you to fix if something breaks c)       your but in a sling if your scripted solution breaks against one of the “high ranking company officials” – see point b)   In summary to your requirements below:   A good migration tool that supports a two way dir sync, including passwords would sort the issue if you can’t use a single logon – it is the same forest after all. Why not keep the single account, permission accordingly and use outlook in offline sync mode?   I might be thinking far to simplistically here?     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: 05 November 2004 10:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Ladies and Gentleman, A complex AD/Exchange issue.   Background information: There is a global Windows 2000 active directory forest with three primary domains Europe, Americas, & Asia Pacific as well as an empty forest root. There is a single global exchange 2003 organization with three administrative groups, I’ll let you guess how they are arranged. The European market is in the process of migrating from HP Openmail to Exchange. The Americas market has always been using exchange. There is an expatriate program where business persons can travel abroad and hold positions for a period of years in which they will eventually return home.  A great deal of these expatriates are high ranking company officials who have been with the company for a number of years and therefore have their sid associated with ACLs all over the place. When an expatriate travels from Europe to the Americas, their account has historically been maintained in both domains until their return to Europe.  This has introduced a number of issues with the exchange migration leading the Europeans to issue a mandate that all 1500 of these expatriates choose the account that they want to keep within the next two weeks.  This solution does not provide adequate customer service according to management. My question is two fold: does anyone know of an easy way to consolidate accounts and mailboxes into a single account and mailbox with an automated process that will preserve the permissions to files, directories, etc. and still allow for the user’s Openmail to be migrated into that single remaining mailbox? once the migration is completed, how is the move from one domain to another maintained as users begin new assignments and complete old ones so that their account is easily moved to the alternate domain with no loss of permissions? If anyone has any good solutions I would be happy to hear them, a quick solution is needed to allow for the migration to continue.