Hi,
In an intraforest migration ADMT actually MOVES the user account by creating
a new account in the target domain (new SID, but SAME GUID as the
sourceaccount) with the SID of the source account in the sIDHistory of the
target account. This is a destructive operation as there is no (quick)
fallback. The only options for fallback are (only on W2K3) undeleting the
source user account (but first delete the target account!!!) and an
authoritative restore of the user acount in the source domain (but first
delete the target account!!!). The main reason for deleting the target
account, before restoring the source account, is that they have the same
GUID as the source account. In an AD forest (and independent of the AD
domain) NO 2 or more accounts can have the same GUID!!! When also doing
migrating clients (w2k and w2k3 and wxp) there will no need to do a profile
migration as the GUID does NOT change for each account.
Using ADMT, only in an interforest migration is a NON-destructive operation
as source accounts are NOT deleted by default
If I'm correct Aelita's Domain Migration Wizard creates a new target account
with a new GUID, puts the SID of the source account in the NEW target
account's sidhistory AND keeps the source account for fallback. One of the
caveats here is that you need to do a profile migration. It depends what's
more important in an intraforest migration -> fallback for source accounts
or easy profile migration. I think the first!
It is still not clear to me if you also have groups in the source domains
that also need to be migrated and if these groups also have the same names
in all the source domains. Don't forget to define closed sets of security
principals if you don't change groups scope otherwise change the group scope
to universal sec.. The target domain must at least be windows 2000 native to
accept sidhistory and universal security groups
For user accounts you must do a many-to-one migration of user accounts where
the sid history of each source account is added to the sidhistory attribute
of the target account.
With ADMT I think merging user accounts would only work in inter forest
scenarios and not in a intraforest scenario as GUID can not be consolidated
into one account like this which is possible with SIDs
>From the ADMT readme.doc (see section "Subsequent User Migrations Update
Group Membership of Target Accounts") group memberships will be migrated to
the target where as target group memberships that do not exist in the source
will be preserved. DON'T use the option "remove existing members" when
remigrating groups. I'm not sure though how this works in a intraforest
migration scenario.
The most sure thing for you is to create a VMware environment with at least
3 domains (root = target and both childs are source) (each with 1 DC) create
some users and groups in all domains. Install trial third party tool like
DMW and ADMT and configure accordingly. Create snapshot at this moment.
First try ADMT and then the third party tool. I think in this case a third
party tool like DMW would be the way to go. I don't know about NetIQ
migtooling but I know DMW preserves source accounts even in an intraforest
mig scenario.
Hope this rather long explanation helps you!
Cheers
Jorge
-----Original Message-----
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 3/23/2005 9:59 PM
Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d
omain Migration
Quest's Domain Migration Wizard has options to handle
duplicate accounts.
>>> [EMAIL PROTECTED] 3/23/2005 11:44:44 AM >>>
That's not correct for an intraforest migration.
Intraforest
migrations are definitely a move and not a copy. Have you
copied a
user account from a domain in ForestA to another domain in
Forest A
and had it actually be a copy?
Phil
On Wed, 23 Mar 2005 14:23:04 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>
>
> I think during an intraforest migration it is a copy, as
the source user
> accounts are left intact and the users can continue to
use them. This makes
> for an easy roll back if something goes wrong. I have not
yet looked at
> using other tools as they, of course, will cost money and
this tool is
> free. Management with the help of a consultant decided
that ADMT would be
> able to do the job.
>
>
> Phil Renouf
> <[EMAIL PROTECTED]
> m>
To
> Sent by:
ActiveDir@mail.activedir.org
> [EMAIL PROTECTED]
cc
> ail.activedir.org
>
Subject
> Re: [ActiveDir]
[Active Dir]
> 03/23/2005 02:13 Handling Duplicate
Accounts During
> PM d omain Migration
>
> Please respond to
> [EMAIL PROTECTED]
> tivedir.org
>
> Can ADMT merge between two domains in the same forest?
Since
> intraforest migrations are a move and not a copy I was
under the
> impression that you couldn't merge accounts while doing
that. When
> doing an intraforest migration with NetIQ the option to
merge
> conflicting accounts is not available.
>
> When doing a migration from a domain outside your forest
you can
> absolutely merge accounts with the NetIQ tool, so I would
be surprised
> if ADMT couldn't do that as well.
>
> Phil
>
> On Wed, 23 Mar 2005 13:26:12 -0500, Mulnick, Al
<[EMAIL PROTECTED]>
> wrote:
> > So merge is the correct term then?
> >
> > It's been a while, but I was thinking that ADMT could
handle that. Have
> you
> > checked the help files for merging source to target?
> >
> > al
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf
Of
> > [EMAIL PROTECTED]
> > Sent: Wednesday, March 23, 2005 12:15 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] [Active Dir] Handling
Duplicate Accounts During
> d
> > omain Migration
> >
> > These are the same users in the same forest, but in
different domains.
> >
> > "Mulnick, Al"
> > <[EMAIL PROTECTED]
> > T.com>
To
> > Sent by:
ActiveDir@mail.activedir.org
> > [EMAIL PROTECTED]
cc
> > ail.activedir.org
> >
Subject
> > RE: [ActiveDir]
[Active Dir]
> > 03/23/2005 12:06 Handling
Duplicate Accounts During
> > PM d omain
Migration
> >
> > Please respond to
> > [EMAIL PROTECTED]
> > tivedir.org
> >
> > And when you say duplicates names, are they
representing different users
> or
> > the same users from different forests?
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf
Of
> > [EMAIL PROTECTED]
> > Sent: Wednesday, March 23, 2005 11:23 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] [Active Dir] Handling
Duplicate Accounts During
> > domain Migration
> >
> > Yes, all of these domain are in the same forest. We
have an empty root
> > domain, MSROOT.domain and one tree in the forest,
DOMAIN.com and 3 child
> > domains, FM.domain.com, MI.domain.com and
RA.domain.com. The forest
> > functional level is Windows 2000 while the domain
functional level of
> > MSROOT.domain and DOMAIN.com is Windows 2003. I raised
it from Windows
> 200
> > Native after the upgrade.
> >
> > The accounts all follow the same naming standard across
all domains.
> >
> > Phil Renouf
> > <[EMAIL PROTECTED]
> > m>
To
> > Sent by:
ActiveDir@mail.activedir.org
> > [EMAIL PROTECTED]
cc
> > ail.activedir.org
> >
Subject
> > Re: [ActiveDir]
[Active Dir]
> > 03/23/2005 10:21 Handling
Duplicate Accounts During
> > AM domain Migration
> >
> > Please respond to
> > [EMAIL PROTECTED]
> > tivedir.org
> >
> > Are they all in the same forest? You mentioned child
domains so I assume
> > they are, but I just wanted to check. Do the accounts
follow the same
> naming
> > standard across all the domains? You mention the target
domain is Windows
> > 2003 Native, I assume this means Windows 2003 in Win2k
Native mode?
> >
> > Phil
> >
> > On Wed, 23 Mar 2005 10:00:06 -0500,
[EMAIL PROTECTED]
> > <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > We are currently trying to migrate all of our
child domains into
> > > one single domain. There are 3 child domains, 2 of
which are Windows
> > > 2000 native and 1 is Windows 2000 Mixed. The target
domain is Windows
> > > 2003 Native. We plan to use ADMT v2 for the planned
migrations.
> > > There were many different project teams, each
with a hand in AD,
> > > before I arrived. When an account was needed in a
particular domain it
> > was
> > > just created, even though there were obviously trusts
in place. Now I
> > have
> > > 1,000's of duplicate user ID's in the target domain.
How would I go
> > > about merging the accounts in the child domains with
the accounts in
> > > the target domain?
> > >
> > > Thanks,
> > > Chris
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > >
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
