RE: [ActiveDir] AD Migration Question
Everyone thanks for all your responses, they were all very useful. --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, October 10, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Migration Question How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep & domainprep and then introduce win2003 DC. It will be in same domain. This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex <[EMAIL PROTECTED]> wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~ "Fortune and Love befriend the bold" ~~~
Re: [ActiveDir] AD Migration Question
How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep & domainprep and then introduce win2003 DC. It will be in same domain.This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex <[EMAIL PROTECTED]> wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] AD Migration Question
Upgrade KBs: See: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ324392_Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 Also see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc5ebbdb-a8d7-4761-b38a-e207baa73419.mspx) http://www.petri.co.il/windows_2003_adprep.htm MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 2003 MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 Cheers Jorge From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Mon 10/10/2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC's then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
You need to upgrade the schema first (before you install the first 2k3 DC). Do an adprep /forestprep from the 2003 CD on the 2000 box. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Monday, October 10, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC’s then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Just bring up a new 2k3 server, DCPromo it and it will do the rest as the first 2k3 DC. Once it is successfully promoted transfer all roles. Once you are sure everything is transferred and working correctly you can DCPromo to demote the old server wipe reinstall whatever. There is no coexistence other than working in Hybrid mode, and you can switch it to native once all of your 2K DCs are upgraded to 2K3. As to moving DNS, WINS, DHCP if your DC is serving all those functions then yes activate them on the new server, and make sure you have updated the required clients to point at the new server for those services. If those services are working on a separate stand-alone server then don't worry about them other than to make sure any static entries are updated. If you are planning to bring in Exchange 2k3 I believe it is best to get your 2k3 domain stable first. I don't think it is required though, but I'm not positive. Just like anything else though it is best to finish one project before starting the next that way you aren't caught trying to troubleshoot conflicting issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 9:16 AMPosted To: ActiveDirectoryConversation: [ActiveDir] AD Migration QuestionSubject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Monday, October 10, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexSent: 10 October 2005 15:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Check out the upgrade docs at http://www.microsoft.com/ad and the readme that comes with your 2003 server media for more specifics. You won't coexist, you'll insert a 2K3 DC into your 2K domain/forest. As for DNS, DHCP, and WINS, the migration is a little different. DNS - If AD integrated, install on the new DC at installation. Let replicate. - if not AD integrated, then you'll have to replicate the zone to the new server. - recommended to ad-integrate if that works the domain you have. WINS - WINS replicates. Replicate it to the new instance. Change the client settings before sunsetting the old WINS replica. Be sure the clients have started using the new instance. DHCP - no replication :( you'll have to migrate it. There are tools to help, but it takes some time while you update the client settings. It's not overnight neccessarily. -ajm From: "Alborzfard, Alex" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 10:16:10 -0400 Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
I have also W2K DCs in other remote sites. Are there any gotchas with migrating them? None of them are GCs. Thanks --Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm >From: "ActiveDirectory" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] AD Migration Question >Date: Mon, 10 Oct 2005 08:44:10 -0500 > >My personal opinion is that you carry less crap over if you bring up a >new 2k3 DC (even if only temporarily). You can always reformat and >reuse the original server then move it back if you need to. > >Bob > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, >Alex >Posted At: Monday, October 10, 2005 8:26 AM >Posted To: ActiveDirectory >Conversation: AD Migration Question >Subject: [ActiveDir] AD Migration Question > > > > > > > >I have a W2K AD that I want to migrate to W2K3 AD. What's the best >option: In-place upgrade of the W2K DC or standing up a brand new W2K3 >DC server > >And then upgrade the W2K DC to W2K3? > >By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more >DNS server. If I go the second route do I need to set up a DNS server or >can I use the existing ones? > > > >Thanks > > > >--Alex > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Also check if you have hosts and lmhosts files, and static WINS entries if WINS is running on your DCs. We (different org) had issues once with static mappings and apps looking for a certain machine name, we brought up a new W2K DC, and then demoted DC1, rebuilt it with the same name, and dcpromo'd it. Did the same with DC2, then brought DCTemp down. Went very smoothly, and no in-place upgrades. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 8:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm >From: "ActiveDirectory" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] AD Migration Question >Date: Mon, 10 Oct 2005 08:44:10 -0500 > >My personal opinion is that you carry less crap over if you bring up a >new 2k3 DC (even if only temporarily). You can always reformat and >reuse the original server then move it back if you need to. > >Bob > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, >Alex >Posted At: Monday, October 10, 2005 8:26 AM >Posted To: ActiveDirectory >Conversation: AD Migration Question >Subject: [ActiveDir] AD Migration Question > > > > > > > >I have a W2K AD that I want to migrate to W2K3 AD. What's the best >option: In-place upgrade of the W2K DC or standing up a brand new W2K3 >DC server > >And then upgrade the W2K DC to W2K3? > >By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more >DNS server. If I go the second route do I need to set up a DNS server or >can I use the existing ones? > > > >Thanks > > > >--Alex > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Migration Question
When we have inplaced upgraded SBS 2000's to SBS 2003's they leave behind a mixmass of permissions i.e. a blend of 2000 and 2003. Many in our gang really do not like inplaces at all. You don't get a comparable box to a clean 2003. You want nice, clean 2003 permission structure? You'll want to swing over those roles. ActiveDirectory wrote: My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alborzfard, Alex *Posted At:* Monday, October 10, 2005 8:26 AM *Posted To:* ActiveDirectory *Conversation:* AD Migration Question *Subject:* [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm From: "ActiveDirectory" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 08:44:10 -0500 My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Posted At: Monday, October 10, 2005 8:26 AM Posted To: ActiveDirectory Conversation: AD Migration Question Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 8:26 AMPosted To: ActiveDirectoryConversation: AD Migration QuestionSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
Re: [ActiveDir] AD migration
Thanks. What i'm worried about is that netbios/tcp is turned off and they have no wins servers. how will this affect an external trust like the kind being attempted? Thanks again On 8/10/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > See inline below > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 09, 2005 5:32 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD migration > > Do you mean check off "associate with external account" on the user attrib? > > [RTK] If you mean the ACE "Associate with External Account" in the ACL of > the Mail-enabled disabled user - which should have a new entry of [domain in > other forest\user], yep. That's the one. I seem to remember that there is > at least one maybe two more ACEs that need to be checked as well. Should > become apparent pretty quickly. If you can't find it - I'll dig it up. > > Also, how do they see the GAL in the old forest? > How does outlook in the new domain find the gc's in the old domain(i > think the answer to this is when it points to the exchange server in > the old forest, dsproxy will direct them to a gc in the exchange > server's site?) > > [RTK] The Exchange server in the old forest still has associated GCs, so > yes - the GCs that are located by the Exchange servers are still used for > the purposes that they are needed for. > > also, i tought a lot of things would break when disabling netbios/tcp, > like ESM,outlook pre 2003,exmerge,etc. > > [RTK] It's important to understand a specific distinction - especially when > related to E2k and E2k3. The dependency is on NetBIOS name resolution - not > specifically the Application layer API NetBIOS. Remember - NetBIOS is not a > protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and > have WINS - you're going to work fine with what you state above. > > Thanks > > On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > > Don't worry Kingslan, I won't hold anything against you! ;) LOL > > > > > > > > "Aric" Bernard > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Tuesday, August 09, 2005 2:52 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] AD migration > > > > U Well, one - I like simplicity. Two, I'm not a big fan of > > WINS. > > If all we're trying to do is to establish trust for a migration... > > > > Besides, Bernard has already been here to show me the error of my ways, > > Thank you. > > > > ;o) > > > > Rick > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Tuesday, August 09, 2005 4:40 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] AD migration > > > > I didn't read the entire thread so maybe this is answered but this stuck > > out > > to me, why isn't WINS going to work? > > > > WINS replication nor name resolution doesn't require any trusts nor even > > authentication. It is all entirely unauthenticated with replication > > being > > handled through IP address based "connection agreements" between the > > source > > and destination targets. > > > > WINS is entirely name resolution, no worries with trusts or anything > > else in > > terms of that name resolution. > > > > When you register in WINS, it is anonymous. When you query WINS it is > > anonymous. Only when you use the admin interfaces to say look at the > > database or modify the connection agreements, etc does any form of > > authentication come into play. > > > > > > When playing across subnets like this with netbios functionality, WINS > > is > > generally the best way to go, certainly it is one of the least complex. > > The > > only time I would really look at using LMHOSTS is if there was a > > requirement > > not to use WINS or you don't want the names to be resolveable to anyone > > that > > asks. > > > > > > joe > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > > Sent: Tuesday, August 09, 2005 12:07 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] AD migration > > > > Really, it uses neith
RE: [ActiveDir] AD migration
See inline below Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Do you mean check off "associate with external account" on the user attrib? [RTK] If you mean the ACE "Associate with External Account" in the ACL of the Mail-enabled disabled user - which should have a new entry of [domain in other forest\user], yep. That's the one. I seem to remember that there is at least one maybe two more ACEs that need to be checked as well. Should become apparent pretty quickly. If you can't find it - I'll dig it up. Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) [RTK] The Exchange server in the old forest still has associated GCs, so yes - the GCs that are located by the Exchange servers are still used for the purposes that they are needed for. also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. [RTK] It's important to understand a specific distinction - especially when related to E2k and E2k3. The dependency is on NetBIOS name resolution - not specifically the Application layer API NetBIOS. Remember - NetBIOS is not a protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and have WINS - you're going to work fine with what you state above. Thanks On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > Don't worry Kingslan, I won't hold anything against you! ;) LOL > > > > "Aric" Bernard > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 09, 2005 2:52 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > U Well, one - I like simplicity. Two, I'm not a big fan of > WINS. > If all we're trying to do is to establish trust for a migration... > > Besides, Bernard has already been here to show me the error of my ways, > Thank you. > > ;o) > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, August 09, 2005 4:40 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > I didn't read the entire thread so maybe this is answered but this stuck > out > to me, why isn't WINS going to work? > > WINS replication nor name resolution doesn't require any trusts nor even > authentication. It is all entirely unauthenticated with replication > being > handled through IP address based "connection agreements" between the > source > and destination targets. > > WINS is entirely name resolution, no worries with trusts or anything > else in > terms of that name resolution. > > When you register in WINS, it is anonymous. When you query WINS it is > anonymous. Only when you use the admin interfaces to say look at the > database or modify the connection agreements, etc does any form of > authentication come into play. > > > When playing across subnets like this with netbios functionality, WINS > is > generally the best way to go, certainly it is one of the least complex. > The > only time I would really look at using LMHOSTS is if there was a > requirement > not to use WINS or you don't want the names to be resolveable to anyone > that > asks. > > > joe > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 09, 2005 12:07 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > Really, it uses neither. The NetBT is involved, but because we are on > (at > present) untrusted domains and forests, WINS isn't going to work. > > Typically, this is done with an LMHosts file in the \Drivers\ETC > directory. > The records are going to be very specific, as they will define the > domain of > the target domain, as well as (typically) the PDC for the target. A > 'mirror' LMHosts will be set up on the other trusting side. > > As noted, the format of the records is specific, and can be found here: > > http://support.microsoft.com/kb/180094/ > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > defined, otherwise they will not work. > > Good luck - it's not daunting, but can be tedious to get w
RE: [ActiveDir] AD migration
Ack! Aric, sorry about that.. I think that I've been almost fooled by that once before and caught myself. The other problem is the format that Outlook displays names in. Some are Firstname Lastname i.e. 'Jennifer Fountain' (or just firstname / nickname / pseudonym, i.e. 'joe') or Lastname, Firstname (i.e. 'Wells, Dean'). Or, Bernard, Aric. That's my excuse - I'm sticking to it Not exactly on the same lines, but a guy I used to work with was named Martin Ferry. Imagine what we called him In the form of a verb and a proper noun, please Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Don't worry Kingslan, I won't hold anything against you! ;) LOL "Aric" Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > >
Re: [ActiveDir] AD migration
Do you mean check off "associate with external account" on the user attrib? Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. Thanks On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > Don't worry Kingslan, I won't hold anything against you! ;) LOL > > > > "Aric" Bernard > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 09, 2005 2:52 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > U Well, one - I like simplicity. Two, I'm not a big fan of > WINS. > If all we're trying to do is to establish trust for a migration... > > Besides, Bernard has already been here to show me the error of my ways, > Thank you. > > ;o) > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, August 09, 2005 4:40 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > I didn't read the entire thread so maybe this is answered but this stuck > out > to me, why isn't WINS going to work? > > WINS replication nor name resolution doesn't require any trusts nor even > authentication. It is all entirely unauthenticated with replication > being > handled through IP address based "connection agreements" between the > source > and destination targets. > > WINS is entirely name resolution, no worries with trusts or anything > else in > terms of that name resolution. > > When you register in WINS, it is anonymous. When you query WINS it is > anonymous. Only when you use the admin interfaces to say look at the > database or modify the connection agreements, etc does any form of > authentication come into play. > > > When playing across subnets like this with netbios functionality, WINS > is > generally the best way to go, certainly it is one of the least complex. > The > only time I would really look at using LMHOSTS is if there was a > requirement > not to use WINS or you don't want the names to be resolveable to anyone > that > asks. > > > joe > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 09, 2005 12:07 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > Really, it uses neither. The NetBT is involved, but because we are on > (at > present) untrusted domains and forests, WINS isn't going to work. > > Typically, this is done with an LMHosts file in the \Drivers\ETC > directory. > The records are going to be very specific, as they will define the > domain of > the target domain, as well as (typically) the PDC for the target. A > 'mirror' LMHosts will be set up on the other trusting side. > > As noted, the format of the records is specific, and can be found here: > > http://support.microsoft.com/kb/180094/ > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > defined, otherwise they will not work. > > Good luck - it's not daunting, but can be tedious to get working the > first > time. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 09, 2005 5:58 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD migration > > Sorry to keep harping- but if you have a trust between a child win2k > domain > in one forest with a root or child domain in another forest, does this > use > wins or dns. > i know this is not a "real" forest trust and more like an external trust > in > that its not transitive and uses ntlm and NOT kerberos, but does it also > relie on wins/netbios like an old NT-style trust? > > thanks > > On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > > I just started today so what I got was- they have connectivity to the > > child dns server but they cut off connectivity to anything in the root > > > domain. > > the firewall is blocking all root traffic. > > this has been like this for a week. > > nothing is replicating to the root and there is no access to the _msdc > > > forest zone. > > >
RE: [ActiveDir] AD migration
LOL - I probably would not have this problem if I spelled my first name "correctly". -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 3:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full cont
RE: [ActiveDir] AD migration
Don't worry Kingslan, I won't hold anything against you! ;) LOL "Aric" Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > Thanks a lot > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? > > > > My understanding is that bo
RE: [ActiveDir] AD migration
A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > &g
RE: [ActiveDir] AD migration
U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > Thanks a lot > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? > > > > My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as
RE: [ActiveDir] AD migration
I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based "connection agreements" between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- they have connectivity to the > child dns server but they cut off connectivity to anything in the root > domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the > enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > Thanks a lot > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? > > > > My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. > > > > Jose > > > > -Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Almeida > > Pinto, Jorge de > > Sent: Monday, August 08, 2005 2:46 PM > > To: ActiveDir@mail.activedir.org; activedirectory > > Subject: RE: [ActiveDir] AD migration > > > > > > Wh
RE: [ActiveDir] AD migration
Tom, Argumentative - no. Tricky, no - I didn't think that at all. (*Trick* is an old racing term of mine that leaks out now and again Simply means doing something others don't do... It's not a bad term at all). As Bernard pointed out - there's a thing or two that I didn't account for. He gives you some good information. As to 'converting' the standard sec. into a primary - good plan. I like their thinking! :0) Now that you now that you have control of the DNS (as well as the WINS) I suspect that the DNS is the better route. By nature and by approach, I have a tendency to do things the simplest and least complicated way possible. The reason is tantamount to flying the Space Shuttle as compared to an ultra-light. Simplicity wins - based on your needs. (IOW, if I have to go into space, the shuttle wins you get my meaning...) NetBIOS disabled does have an impact on choices. If they have DNS functioning - go with it. As to the Exchange - a bit of an issue - but it's not big. They don't have to log in per se If you have the trust in place, half of the problem is done. User A in Domain B has a mailbox on an Exchange server in domain A. The account properties for the mailbox need to indicate the mailbox in domain A, and the permission on the disabled mailbox-enabled user account in domain A need to indicate that User A in Domain B has External Acct Permissions to the mailbox. If the above paragraph makes no sense, let me know. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 3:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS "hacked" the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > Tom, > > While I am sure that Rick has some document in which using LMHosts files > are identified as a best practice, I can assure you that it is quite > feasible to use WINS to accomplish the name resolution requirement for > the task at hand: creating an external trust between two domains with > different names explicitly for the purpose of migrating client systems > from one domain to another. In fact I might suggest that in many cases > this is a better approach. The Quest products will rely on name > resolution (as well as the trust) in order to migrate users, groups, > workstations, server and other resources between domains. This name > resolution will in fact be even more important during the migration > process if users in one domain will need to access resources in the > other domain. The existing WINS environment is already populated with > necessary records, and has all the information required to resolve the > names of DCs, resource servers, workstations, etc. in the existing > domain. Assuming you have administrative control over the WINS server, > you can certainly configure WINS replication between a WINS server in > the new environment and one in the existing environment - and no, a > trust is not needed to make this work as WINS replication (and > resolution) is generally unauthenticated. > > If you are planning to migrate your WINS servers to the new environment > I might argue that the best approach would be to migrate them first (one > by one verifying functionality as you go) to the new environment and > continue to point both old *and new systems* to the same WINS servers. > Of course this assumes, as stated previously, that you have > administrative control over the WINS servers. This implementation > should avoid the need to use LMHost files or change primary/secondary > WINS assignments on migrated systems. This is an approach I have used > many times when migrating between forests and between NT4 domains and AD > domains. > > As for migrating without the availability of the root domain, you should > be "mostly
Re: [ActiveDir] AD migration
Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS "hacked" the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: > Tom, > > While I am sure that Rick has some document in which using LMHosts files > are identified as a best practice, I can assure you that it is quite > feasible to use WINS to accomplish the name resolution requirement for > the task at hand: creating an external trust between two domains with > different names explicitly for the purpose of migrating client systems > from one domain to another. In fact I might suggest that in many cases > this is a better approach. The Quest products will rely on name > resolution (as well as the trust) in order to migrate users, groups, > workstations, server and other resources between domains. This name > resolution will in fact be even more important during the migration > process if users in one domain will need to access resources in the > other domain. The existing WINS environment is already populated with > necessary records, and has all the information required to resolve the > names of DCs, resource servers, workstations, etc. in the existing > domain. Assuming you have administrative control over the WINS server, > you can certainly configure WINS replication between a WINS server in > the new environment and one in the existing environment - and no, a > trust is not needed to make this work as WINS replication (and > resolution) is generally unauthenticated. > > If you are planning to migrate your WINS servers to the new environment > I might argue that the best approach would be to migrate them first (one > by one verifying functionality as you go) to the new environment and > continue to point both old *and new systems* to the same WINS servers. > Of course this assumes, as stated previously, that you have > administrative control over the WINS servers. This implementation > should avoid the need to use LMHost files or change primary/secondary > WINS assignments on migrated systems. This is an approach I have used > many times when migrating between forests and between NT4 domains and AD > domains. > > As for migrating without the availability of the root domain, you should > be "mostly" OK as the Quest representatives stated. However without the > root being accessible and the _mscds DNS domain being unavailable, I > would certainly look to accelerate the migration as you should start > having replication even within your child domain(s). > > Regards, > > Aric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 09, 2005 9:35 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD migration > > Tom, > > The solution that I gave you is the only one that I know of. If you are > able to get DNS to work (doubtful) or are able to get WINS to replicate > across a trust that at the present time doesn't exist, more power to > you. > > However, given the trials and tribulations that you have discussed with > us > over the past couple of weeks - *I* would be looking for the easiest, > accepted, maintainable "best practice" method for getting your job done. > > A piece of personal advice - and you can choose to ignore it or use it - > it's free. > > In your new position, they are looking for results - not the most trick > way > of doing something. I am sure that the company that has retained your > services is being billed for the time that you work to migrate their > user > base and Exchange to something that they can control. Finding a DNS or > a > WINS solution when the LMHosts solution is 'best practice' is simply not > a > good idea. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] O
RE: [ActiveDir] AD migration
Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be "mostly" OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within your child domain(s). Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable "best practice" method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > Really, it uses neither. The NetBT is involved, but because we are on (at > present) untrusted domains and forests, WINS isn't going to work. > > Typically, this is done with an LMHosts file in the \Drivers\ETC directory. > The records are going to be very specific, as they will define the domain of > the target domain, as well as (typically) the PDC for the target. A > 'mirror' LMHosts will be set up on the other trusting side. > > As noted, the format of the records is specific, and can be found here: > > http://support.microsoft.com/kb/180094/ > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > defined, otherwise they will not work. > > Good luck - it's not daunting, but can be tedious to get working the first > time. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tue
RE: [ActiveDir] AD migration
Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable "best practice" method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > Really, it uses neither. The NetBT is involved, but because we are on (at > present) untrusted domains and forests, WINS isn't going to work. > > Typically, this is done with an LMHosts file in the \Drivers\ETC directory. > The records are going to be very specific, as they will define the domain of > the target domain, as well as (typically) the PDC for the target. A > 'mirror' LMHosts will be set up on the other trusting side. > > As noted, the format of the records is specific, and can be found here: > > http://support.microsoft.com/kb/180094/ > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > defined, otherwise they will not work. > > Good luck - it's not daunting, but can be tedious to get working the first > time. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 09, 2005 5:58 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD migration > > Sorry to keep harping- but if you have a trust between a child win2k > domain in one forest with a root or child domain in another forest, > does this use wins or dns. > i know this is not a "real" forest trust and more like an external > trust in that its not transitive and uses ntlm and NOT kerberos, but > does it also relie on wins/netbios like an old NT-style trust? > > thanks > > On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > > I just started today so what I got was- > > they have connectivity to the child dns server but they cut off > > connectivity to anything in the root domain. > > the firewall is blocking all root traffic. > > this has been like this for a week. > > nothing is replicating to the root and there is no access to the _msdc > > forest zone. > > > > The forest is win2k native with an empty root and 1 child domain in a > > seperate tree. > > they have DA access in the child domain but no DA/EA access in the root. > > all the exchange servers(about 10) are in the child domain. > > the only recipent policy in the root is the default one and the enterprise > RUS. > > > > > > They want to migrate the child domain and all the resources to a new > > forest where we have full control of everything. > > i assume we do not need connectivity to the _msdc forest dns zone to > > create a trust with the old child domain to migrate everything over(or > > anything in the root dns zone). > > > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > > > Thanks a lot > > > > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > > I am sure Quest's consultant's knows what they are doing. Didn't you > have them put a quote and migration plan together prior to the actual > migration? Or are you asking these questions because you are second guessing > them? Or is this just for your own knowledge? > > > > > > My understanding is that both domain names have to be different when > using ADMT to migrate from a Source Domain to a Target Domain, unless Quest > has a tool that over comes this that I am not aware of. Are you trying to > k
Re: [ActiveDir] AD migration
why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > Really, it uses neither. The NetBT is involved, but because we are on (at > present) untrusted domains and forests, WINS isn't going to work. > > Typically, this is done with an LMHosts file in the \Drivers\ETC directory. > The records are going to be very specific, as they will define the domain of > the target domain, as well as (typically) the PDC for the target. A > 'mirror' LMHosts will be set up on the other trusting side. > > As noted, the format of the records is specific, and can be found here: > > http://support.microsoft.com/kb/180094/ > > And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as > defined, otherwise they will not work. > > Good luck - it's not daunting, but can be tedious to get working the first > time. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Tuesday, August 09, 2005 5:58 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD migration > > Sorry to keep harping- but if you have a trust between a child win2k > domain in one forest with a root or child domain in another forest, > does this use wins or dns. > i know this is not a "real" forest trust and more like an external > trust in that its not transitive and uses ntlm and NOT kerberos, but > does it also relie on wins/netbios like an old NT-style trust? > > thanks > > On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > > I just started today so what I got was- > > they have connectivity to the child dns server but they cut off > > connectivity to anything in the root domain. > > the firewall is blocking all root traffic. > > this has been like this for a week. > > nothing is replicating to the root and there is no access to the _msdc > > forest zone. > > > > The forest is win2k native with an empty root and 1 child domain in a > > seperate tree. > > they have DA access in the child domain but no DA/EA access in the root. > > all the exchange servers(about 10) are in the child domain. > > the only recipent policy in the root is the default one and the enterprise > RUS. > > > > > > They want to migrate the child domain and all the resources to a new > > forest where we have full control of everything. > > i assume we do not need connectivity to the _msdc forest dns zone to > > create a trust with the old child domain to migrate everything over(or > > anything in the root dns zone). > > > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > > > Thanks a lot > > > > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > > I am sure Quest's consultant's knows what they are doing. Didn't you > have them put a quote and migration plan together prior to the actual > migration? Or are you asking these questions because you are second guessing > them? Or is this just for your own knowledge? > > > > > > My understanding is that both domain names have to be different when > using ADMT to migrate from a Source Domain to a Target Domain, unless Quest > has a tool that over comes this that I am not aware of. Are you trying to > keep the same domain name as the source? Microsoft also has a free tool that > will allow you to rename the traget 2003 AD domain as after you have > completed your migration and decommissioned old DC's. > > > > > > Jose > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, > > > Jorge de > > > Sent: Monday, August 08, 2005 2:46 PM > > > To: ActiveDir@mail.activedir.org; activedirectory > > > Subject: RE: [ActiveDir] AD migration > > > > > > > > > What do you mean with "In fact, they are cut off from the root domain > pyhsically. "? Do you mean as in there is not replication between the two > domains? If yes... dare I ask for how long? > > > > > > As I know of you can migrate the child domain without the root being > available because you will be having a trust between the new domain and the > child domain > > > > > > I still don't understand what you mean... They are cut off from the root > an
RE: [ActiveDir] AD migration
Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- > they have connectivity to the child dns server but they cut off > connectivity to anything in the root domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the enterprise RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > Thanks a lot > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? > > > > My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. > > > > Jose > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, > > Jorge de > > Sent: Monday, August 08, 2005 2:46 PM > > To: ActiveDir@mail.activedir.org; activedirectory > > Subject: RE: [ActiveDir] AD migration > > > > > > What do you mean with "In fact, they are cut off from the root domain pyhsically. "? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? > > > > As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain > > > > I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? > > > > Jorge > > > > > > > > From: [EMAIL PROTECTED] on behalf of Tom Kern > > Sent: Mon 8/8/2005 11:08 PM > > To: activedirectory > > Subject: [ActiveDir] AD migration > > > > > > > > I just started working for a company. they used to outsource their > > AD/Exchange but now they're trying to get it back. > > > > Its a 2 tree, 2 domain forest. the root domain is empty. > > this company only has DA access on the child domain. No EA access. In > > fact, they are cut off from the root domain pyhsically. > > > > What they want to do is create a new forest and migrat
Re: [ActiveDir] AD migration
Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a "real" forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I just started today so what I got was- > they have connectivity to the child dns server but they cut off > connectivity to anything in the root domain. > the firewall is blocking all root traffic. > this has been like this for a week. > nothing is replicating to the root and there is no access to the _msdc > forest zone. > > The forest is win2k native with an empty root and 1 child domain in a > seperate tree. > they have DA access in the child domain but no DA/EA access in the root. > all the exchange servers(about 10) are in the child domain. > the only recipent policy in the root is the default one and the enterprise > RUS. > > > They want to migrate the child domain and all the resources to a new > forest where we have full control of everything. > i assume we do not need connectivity to the _msdc forest dns zone to > create a trust with the old child domain to migrate everything over(or > anything in the root dns zone). > > I'm not 2nd guessing the Quest guys, this is only for my own education. > > Thanks a lot > > > On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > > I am sure Quest's consultant's knows what they are doing. Didn't you have > > them put a quote and migration plan together prior to the actual migration? > > Or are you asking these questions because you are second guessing them? Or > > is this just for your own knowledge? > > > > My understanding is that both domain names have to be different when using > > ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a > > tool that over comes this that I am not aware of. Are you trying to keep > > the same domain name as the source? Microsoft also has a free tool that > > will allow you to rename the traget 2003 AD domain as after you have > > completed your migration and decommissioned old DC's. > > > > Jose > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, > > Jorge de > > Sent: Monday, August 08, 2005 2:46 PM > > To: ActiveDir@mail.activedir.org; activedirectory > > Subject: RE: [ActiveDir] AD migration > > > > > > What do you mean with "In fact, they are cut off from the root domain > > pyhsically. "? Do you mean as in there is not replication between the two > > domains? If yes... dare I ask for how long? > > > > As I know of you can migrate the child domain without the root being > > available because you will be having a trust between the new domain and the > > child domain > > > > I still don't understand what you mean... They are cut off from the root > > and the DNS is avlable in the root. I must be missing something. Can you > > explain a bit more? > > > > Jorge > > > > > > > > From: [EMAIL PROTECTED] on behalf of Tom Kern > > Sent: Mon 8/8/2005 11:08 PM > > To: activedirectory > > Subject: [ActiveDir] AD migration > > > > > > > > I just started working for a company. they used to outsource their > > AD/Exchange but now they're trying to get it back. > > > > Its a 2 tree, 2 domain forest. the root domain is empty. > > this company only has DA access on the child domain. No EA access. In > > fact, they are cut off from the root domain pyhsically. > > > > What they want to do is create a new forest and migrate all > > users,exchange,computers,etc to the new forest and be done with the > > old. > > They are going to use Quest sw and a consultant from Quest for this. > > > > My question is- can this be done without any connectivity to the root? > > both dns zones are in the root so they really don't have any dns > > locally as well(needless to say, you cam imagine what the rep logs > > look like). I'm sure this complicates matters. > > however, the Quest people seem to think this can still work. > > can it? > > > > also, can the new forest have the same domain names as the old one? > > > > Thanks(I'm the guy who posted about his new job jitters about a week > > or 2 ago, and here i am. Their AD is more
Re: [ActiveDir] AD migration
I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote: > I am sure Quest's consultant's knows what they are doing. Didn't you have > them put a quote and migration plan together prior to the actual migration? > Or are you asking these questions because you are second guessing them? Or is > this just for your own knowledge? > > My understanding is that both domain names have to be different when using > ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a > tool that over comes this that I am not aware of. Are you trying to keep the > same domain name as the source? Microsoft also has a free tool that will > allow you to rename the traget 2003 AD domain as after you have completed > your migration and decommissioned old DC's. > > Jose > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, > Jorge de > Sent: Monday, August 08, 2005 2:46 PM > To: ActiveDir@mail.activedir.org; activedirectory > Subject: RE: [ActiveDir] AD migration > > > What do you mean with "In fact, they are cut off from the root domain > pyhsically. "? Do you mean as in there is not replication between the two > domains? If yes... dare I ask for how long? > > As I know of you can migrate the child domain without the root being > available because you will be having a trust between the new domain and the > child domain > > I still don't understand what you mean... They are cut off from the root and > the DNS is avlable in the root. I must be missing something. Can you explain > a bit more? > > Jorge > > > > From: [EMAIL PROTECTED] on behalf of Tom Kern > Sent: Mon 8/8/2005 11:08 PM > To: activedirectory > Subject: [ActiveDir] AD migration > > > > I just started working for a company. they used to outsource their > AD/Exchange but now they're trying to get it back. > > Its a 2 tree, 2 domain forest. the root domain is empty. > this company only has DA access on the child domain. No EA access. In > fact, they are cut off from the root domain pyhsically. > > What they want to do is create a new forest and migrate all > users,exchange,computers,etc to the new forest and be done with the > old. > They are going to use Quest sw and a consultant from Quest for this. > > My question is- can this be done without any connectivity to the root? > both dns zones are in the root so they really don't have any dns > locally as well(needless to say, you cam imagine what the rep logs > look like). I'm sure this complicates matters. > however, the Quest people seem to think this can still work. > can it? > > also, can the new forest have the same domain names as the old one? > > Thanks(I'm the guy who posted about his new job jitters about a week > or 2 ago, and here i am. Their AD is more messed up than I thought :) > ) > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List i
RE: [ActiveDir] AD migration
I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with "In fact, they are cut off from the root domain pyhsically. "? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
What do you mean with "In fact, they are cut off from the root domain pyhsically. "? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
Hey Tom - sounds like fun. The phrase "they are cut of from the root domain physically" combined with "both dns zones are in the root and they don't have any dns locally" sounds a bit unrealistic - this should naturally cause numerous replication issues; basically nothing should work (even normal authentication) as it all requires DNS lookup. So I'm guessing that you do have some DNS servers in your child domains and it would be worthwhile for you to check if there are any secondary zones from the root domain (or the _msdcs subzone) being hosted on your child DCs or another DNS server used in your network. But your task doesn't seem to be fixing the current AD implementation, but rather to move away from it. DNS name-resolution is critical for any kind of trust in AD (except for trusts to NT4 domains which is not your scenario), however, you do not require EA permissions to set them up from your child domain to another domain in a new forest. But naturally you won't be able to creat a forest-trust (i.e. from root of current forest to root of new forest). The names of those domains that are directly trusted can NOT be the same (need to have different NetBios domain names). So yes, migration should work and even if you don't want to fix the current caos, you should ensure that DNS works well (in worst case concentrate on creating a workaround just for your child-domain - which should be sufficient for trust creation to your new forest where I'm sure you fully control DNS). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Dienstag, 9. August 2005 00:09 To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration paths (divesting forests)
See comments inline below > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane > Sent: Tuesday, October 15, 2002 9:50 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD Migration paths (divesting forests) > > Rick: > > Thanks for the information. Much appreciated. A few questions for the > masses... > > * Although our forest is native mode, we still have a number of NT 4.0 > "resource domains" the contain most of our resources (no users) in the > source forest. All of these resources that are moving to the new forest > will be moved into AD. Once the user is migrated to the new forest, will > SID history flow down to the resource domains that trust the source AD > domain? This will be critical to the users if we migrate the users > accounts first. > SIDHistory is going to be your friend here. It will maintain your access to 'legacy' domains as well. > * SID history and Exchange: Once the users are migrated, if their > mailboxes are still in the source forest, will SID history allow access to > the legacy mailbox? My thinking is around that the user and mailboxes > should be migrated at the same time. If we do migrate the users and > their mailboxes, there may still be "resource" mailboxes they may need to > access during the transition. The source is still in Exchange mixed mode > today but by time we will be doing the actually migration, we should be > all E2K. > I don't THINK SidHistory is going to help here But, I may be wrong. If it does, we've been going to WAAAY too much work. Believe me when I tell you that if you CAN move the user and the assosciated mailbox at the same time it will be much more seamless to the user. Otherwise, remember that I said in my earlier post that ADMT left the disabled user account in the source? This is your salvation if the mail cannot come across at the same time. We ran into an issue where the Exchange could not come across until the users were across (I think it was an excuse from the Exchange team as they weren't ready - it's clearly not a technical issue!). What you do in the case where your user comes across bu the mail is still in another forest is to use that disabled account. It is still attached to the mailbox. Through the Exchange AD U&C snap-in, add the user in the new forest (you have a trust, so this is not a problem) and give the user in the new forest (I can't remember the 3 perms - clear the top one, check the 2nd one, and check the bottom 2 - one will be to Associate External Account). > * E2K to E2K migration. A lot of ven-duhs have E5.5 to E2K migration > tools, there is not much E2K to E2K migration tools. Are there any best > practices / tools around e2K to E2K migrations? > I'll leave this one to the much more expert Exchange folks.. > Diane > >-Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 9:09 PM > To: [EMAIL PROTECTED] > Subject:RE: [ActiveDir] AD Migration paths (divesting > forests) > > Diane, > > Though our situation is not exactly similar (we plan on retiring the > old forest once we're finished), it is similar enough that I can talk > authoritatively about what we did and how our rate of success has been. > > Firstly, we created an empty root forest with a single child domain > (it has changed since then - more domains) and created a trust between the > source domain and the target child. Knowing that it was important to > retain our investment in Group Policy, we used FAZAM 2000 to migrate the > GPOs. > > We had all but eliminated our Windows NT 4.0 BDCs in our old > environment, so the legacy issues did not cause us any concern in the new > forest. We moved instantly to a Native mode domain which left us a bit > more open for the Groups/User/Computer migration. Each of the security > principals were migrated to the new forest/domain using ADMT version 2.0 > (key to retaining Passwords of migrated users! More on this momentarily). > > Users were migrated with options set to disable the source, enable > the target, fixup the target group memberships (as the Global and Local > Domain groups had already been moved) and to enable SID history. We have > the need to retain access to resources in the old domain/forest until it > is retired. Computers are moved across and the Security on the machine is > migrated or changed to make it consistent with the domain that it is > joining. An agent is dispatched to the machine and it operates on t
RE: [ActiveDir] AD Migration paths (divesting forests)
Roger: Thanks for the tip. Unfortunately, approx numbers are 4,000-5,000 users/workstations over most of the state and maybe 500 - 1,000 GB of data (swag) so the "weekend approach" doesn't work for us. We are going to have to do a staged migration and maintain business process during the transition. Diane -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 4:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Migration paths (divesting forests) We have traditionally done a single, full migration - workstations, servers and accounts all at once. It tends to make for long weekends, but you only touch each client machine once. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: Ayers, Diane [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 10:40 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] AD Migration paths (divesting forests) > > > Our company is divesting part of the organization into a > separate company. That means we need to split our AD forest > into two separate forest. We have an sense of how we are > going to do it but one question I have is the sequence. > > We are going to build the new forest (both forests are empty > root, single domain) and set up an external trust between the > two main domains. One plan has us migrating resources such > as workstations, servers, etc to the new forest maintaining > ACLs, etc to the resources and then migrate accounts towards > the end. The second plan has us migrating the accounts first > and using SID history to maintain access to legacy resources > until they are migrated to the new domain. Both plans seem > to work technically but we are not sure of "best practices" > as far as the migration. A recent talk at MEC suggested the > later as opposed to the former. > > Since we have not gone through this before in our > organization, I was hoping that folks that have gone through > this might shed some light... > > Diane > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration paths (divesting forests)
We have traditionally done a single, full migration - workstations, servers and accounts all at once. It tends to make for long weekends, but you only touch each client machine once. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: Ayers, Diane [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 10:40 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] AD Migration paths (divesting forests) > > > Our company is divesting part of the organization into a > separate company. That means we need to split our AD forest > into two separate forest. We have an sense of how we are > going to do it but one question I have is the sequence. > > We are going to build the new forest (both forests are empty > root, single domain) and set up an external trust between the > two main domains. One plan has us migrating resources such > as workstations, servers, etc to the new forest maintaining > ACLs, etc to the resources and then migrate accounts towards > the end. The second plan has us migrating the accounts first > and using SID history to maintain access to legacy resources > until they are migrated to the new domain. Both plans seem > to work technically but we are not sure of "best practices" > as far as the migration. A recent talk at MEC suggested the > later as opposed to the former. > > Since we have not gone through this before in our > organization, I was hoping that folks that have gone through > this might shed some light... > > Diane > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration paths (divesting forests)
Diane, Though our situation is not exactly similar (we plan on retiring the old forest once we're finished), it is similar enough that I can talk authoritatively about what we did and how our rate of success has been. Firstly, we created an empty root forest with a single child domain (it has changed since then - more domains) and created a trust between the source domain and the target child. Knowing that it was important to retain our investment in Group Policy, we used FAZAM 2000 to migrate the GPOs. We had all but eliminated our Windows NT 4.0 BDCs in our old environment, so the legacy issues did not cause us any concern in the new forest. We moved instantly to a Native mode domain which left us a bit more open for the Groups/User/Computer migration. Each of the security principals were migrated to the new forest/domain using ADMT version 2.0 (key to retaining Passwords of migrated users! More on this momentarily). Users were migrated with options set to disable the source, enable the target, fixup the target group memberships (as the Global and Local Domain groups had already been moved) and to enable SID history. We have the need to retain access to resources in the old domain/forest until it is retired. Computers are moved across and the Security on the machine is migrated or changed to make it consistent with the domain that it is joining. An agent is dispatched to the machine and it operates on the machine locally. It is important to know that the Domain Admin or some higher level user must have access to the %systemroot\admin$ administrative share for the agent to be able to work. This certainly is not a problem on most systems, but there always seems to be a few that find out how to remove your access to their machine. It's also important to note that ADMT is more targeted at the Windows NT migrations. Because of this, WINS and NetBIOS is used heavily - even in a pure Windows 2000 environment. If all of a sudden you can't see a given DC, set of machines, etc - it's a WINS/NetBIOS thing. ADMT doesn't even think of using DNS - doesn't even know what it is. Just a pointer to be aware of. As a sidebar, if you use roaming profiles, you'll find the rate of success with the computers much higher. Local profiles had a tendency to cause us some issues (security fixup and the system recognizing the user profile on login) to the point where on most machines it became our MO to just manually join the machine to the target domain and copy the user profile to the intended directory. In the long run, it caused less time and less headaches - especially when dealing with laptops (mainly because if we gave them notice that we were migrating the laptop that night, the user would take it home anyway. This would occur even if we told them 5 minutes before they packed up to leave! Endusers.. :/ ) With ADMT v 2.0, you now get the option to migrate the passwords of your users as well. This requires creating a crypto-key on the system in which ADMT is being installed (in the source domain) and installing the key on a machine that is a DC in the source. You will indicate this machine in the field (persistent field - doesn't have to be reset each time) and the key will be leveraged to migrated the password. This has worked quite well for us in moving ~15,000 users, computers, groups, etc. from one forest/domain to another. If you have any questions, don't hesitate to ask. Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 9:40 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] AD Migration paths (divesting forests) > > Our company is divesting part of the organization into a separate company. > That means we need to split our AD forest into two separate forest. We > have an sense of how we are going to do it but one question I have is the > sequence. > > We are going to build the new forest (both forests are empty root, single > domain) and set up an external trust between the two main domains. One > plan has us migrating resources such as workstations, servers, etc to the > new forest maintaining ACLs, etc to the resources and then migrate > accounts towards the end. The second plan has us migrating the accounts > first and using SID history to maintain access to legacy resources until > they are migrated to the new domain. Both plans seem to work technically > but we are not sure of "best practices" as far as the migration. A recent > talk at MEC suggested the later as opposed to the former. > > Since we have not gone through this before in our organization, I was > hoping that folks that have gone through this might shed some light... > > Diane <>
