RE: [ActiveDir] Migrate domain to separate forest

[Larry Wahlers]

Title: [ActiveDir] Migrate domain to separate forest

Many thanks, Jorge. And I hear congratulations on your MVP status are in order. Congrats!

 

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, January 17, 2006 1:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrate domain to separate forest

If they need their own forest you need to create it first. But even before you create it, design it. First setup what the requirement should be and then design it to meet the requirements.

 

Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs, GPOs, delegations, DNS, WINS, DHCP, etc.)

* Setup name resolution (WINS or DNS) between source and target domain/forest

* Setup trusts (if an external trust is configured and sidhistory is used, disable sid filtering)

* Install and configure migration tooling
* Migrate groups, user accounts with passwords and group memberships (with sidhistory)
* Migrate clients from the source domain to the target domain, translate security on the client, and translate profiles (at this moment users start logging on with their new AD account on the migrated clients that have been migrated previously to the w2k3 domain)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data from source security principals to target security principals (replace the security descriptors from the old domain with the security descriptors from the new domain )
* Cleanup temporary configurations
* Cleanup sidhistory (recommended!). sIDHistory is used to access resources while those resources still have security descriptors from the old domain. As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed sIDHistory can be cleaned. Sidhistory should only be used temporary for migration purposes!
* Remove trusts
* Decommission old domain(s)

For more info on migrating to an AD domain also see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx

ADMTv3 has been out for a while, so be sure to use that version. (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)

 

If you have exchange you need to setup the target Exchange organization and perform an inter-org migration

 

Cheers,

jorge

---

From: [EMAIL PROTECTED] on behalf of Larry Wahlers
Sent: Tue 2006-01-17 19:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrate domain to separate forest

Hello, colleagues,

One of our organizations is in their own domain, a child domain of our
root. They want to be in their own forest. Are there tools to migrate
them to their own separate forest, or will I need to build the forest
first, presumably with 2 new DC's, and then make all their servers join
the new forest? And, of course, they have about 140 users.

Thanks, folks.

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/