RE: [ActiveDir] AD Migration Question
Everyone thanks for all your responses, they were all very useful. --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, October 10, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Migration Question How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep domainprep and then introduce win2003 DC. It will be in same domain. This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex [EMAIL PROTECTED] wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~ Fortune and Love befriend the bold ~~~
RE: [ActiveDir] AD Migration Question
My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 8:26 AMPosted To: ActiveDirectoryConversation: AD Migration QuestionSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm From: ActiveDirectory [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 08:44:10 -0500 My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Posted At: Monday, October 10, 2005 8:26 AM Posted To: ActiveDirectory Conversation: AD Migration Question Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Migration Question
When we have inplaced upgraded SBS 2000's to SBS 2003's they leave behind a mixmass of permissions i.e. a blend of 2000 and 2003. Many in our gang really do not like inplaces at all. You don't get a comparable box to a clean 2003. You want nice, clean 2003 permission structure? You'll want to swing over those roles. ActiveDirectory wrote: My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alborzfard, Alex *Posted At:* Monday, October 10, 2005 8:26 AM *Posted To:* ActiveDirectory *Conversation:* AD Migration Question *Subject:* [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Also check if you have hosts and lmhosts files, and static WINS entries if WINS is running on your DCs. We (different org) had issues once with static mappings and apps looking for a certain machine name, we brought up a new W2K DC, and then demoted DC1, rebuilt it with the same name, and dcpromo'd it. Did the same with DC2, then brought DCTemp down. Went very smoothly, and no in-place upgrades. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 8:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm From: ActiveDirectory [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 08:44:10 -0500 My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Posted At: Monday, October 10, 2005 8:26 AM Posted To: ActiveDirectory Conversation: AD Migration Question Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Check out the upgrade docs at http://www.microsoft.com/ad and the readme that comes with your 2003 server media for more specifics. You won't coexist, you'll insert a 2K3 DC into your 2K domain/forest. As for DNS, DHCP, and WINS, the migration is a little different. DNS - If AD integrated, install on the new DC at installation. Let replicate. - if not AD integrated, then you'll have to replicate the zone to the new server. - recommended to ad-integrate if that works the domain you have. WINS - WINS replicates. Replicate it to the new instance. Change the client settings before sunsetting the old WINS replica. Be sure the clients have started using the new instance. DHCP - no replication :( you'll have to migrate it. There are tools to help, but it takes some time while you update the client settings. It's not overnight neccessarily. -ajm From: Alborzfard, Alex [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 10:16:10 -0400 Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Just bring up a new 2k3 server, DCPromo it and it will do the rest as the first 2k3 DC. Once it is successfully promoted transfer all roles. Once you are sure everything is transferred and working correctly you can DCPromo to demote the old server wipe reinstall whatever. There is no coexistence other than working in Hybrid mode, and you can switch it to native once all of your 2K DCs are upgraded to 2K3. As to moving DNS, WINS, DHCP if your DC is serving all those functions then yes activate them on the new server, and make sure you have updated the required clients to point at the new server for those services. If those services are working on a separate stand-alone server then don't worry about them other than to make sure any static entries are updated. If you are planning to bring in Exchange 2k3 I believe it is best to get your 2k3 domain stable first. I don't think it is required though, but I'm not positive. Just like anything else though it is best to finish one project before starting the next that way you aren't caught trying to troubleshoot conflicting issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 9:16 AMPosted To: ActiveDirectoryConversation: [ActiveDir] AD Migration QuestionSubject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Monday, October 10, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexSent: 10 October 2005 15:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DCs then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
You need to upgrade the schema first (before you install the first 2k3 DC). Do an adprep /forestprep from the 2003 CD on the 2000 box. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Monday, October 10, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Upgrade KBs: See: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ324392_Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 Also see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc5ebbdb-a8d7-4761-b38a-e207baa73419.mspx) http://www.petri.co.il/windows_2003_adprep.htm MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 2003 MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 Cheers Jorge From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Mon 10/10/2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC's then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Migration Question
How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep domainprep and then introduce win2003 DC. It will be in same domain.This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex [EMAIL PROTECTED] wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] AD migration
Thanks. What i'm worried about is that netbios/tcp is turned off and they have no wins servers. how will this affect an external trust like the kind being attempted? Thanks again On 8/10/05, Rick Kingslan [EMAIL PROTECTED] wrote: See inline below Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Do you mean check off associate with external account on the user attrib? [RTK] If you mean the ACE Associate with External Account in the ACL of the Mail-enabled disabled user - which should have a new entry of [domain in other forest\user], yep. That's the one. I seem to remember that there is at least one maybe two more ACEs that need to be checked as well. Should become apparent pretty quickly. If you can't find it - I'll dig it up. Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) [RTK] The Exchange server in the old forest still has associated GCs, so yes - the GCs that are located by the Exchange servers are still used for the purposes that they are needed for. also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. [RTK] It's important to understand a specific distinction - especially when related to E2k and E2k3. The dependency is on NetBIOS name resolution - not specifically the Application layer API NetBIOS. Remember - NetBIOS is not a protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and have WINS - you're going to work fine with what you state above. Thanks On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM
Re: [ActiveDir] AD migration
Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] AD migration
Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same
Re: [ActiveDir] AD migration
why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old
RE: [ActiveDir] AD migration
Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain
RE: [ActiveDir] AD migration
Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within your child domain(s). Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k
Re: [ActiveDir] AD migration
Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS hacked the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within your child domain(s). Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner
RE: [ActiveDir] AD migration
Tom, Argumentative - no. Tricky, no - I didn't think that at all. (*Trick* is an old racing term of mine that leaks out now and again Simply means doing something others don't do... It's not a bad term at all). As Bernard pointed out - there's a thing or two that I didn't account for. He gives you some good information. As to 'converting' the standard sec. into a primary - good plan. I like their thinking! :0) Now that you now that you have control of the DNS (as well as the WINS) I suspect that the DNS is the better route. By nature and by approach, I have a tendency to do things the simplest and least complicated way possible. The reason is tantamount to flying the Space Shuttle as compared to an ultra-light. Simplicity wins - based on your needs. (IOW, if I have to go into space, the shuttle wins you get my meaning...) NetBIOS disabled does have an impact on choices. If they have DNS functioning - go with it. As to the Exchange - a bit of an issue - but it's not big. They don't have to log in per se If you have the trust in place, half of the problem is done. User A in Domain B has a mailbox on an Exchange server in domain A. The account properties for the mailbox need to indicate the mailbox in domain A, and the permission on the disabled mailbox-enabled user account in domain A need to indicate that User A in Domain B has External Acct Permissions to the mailbox. If the above paragraph makes no sense, let me know. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 3:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS hacked the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within
RE: [ActiveDir] AD migration
I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain
RE: [ActiveDir] AD migration
U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM
RE: [ActiveDir] AD migration
A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior
RE: [ActiveDir] AD migration
Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool
RE: [ActiveDir] AD migration
LOL - I probably would not have this problem if I spelled my first name correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 3:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root
Re: [ActiveDir] AD migration
Do you mean check off associate with external account on the user attrib? Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. Thanks On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own
RE: [ActiveDir] AD migration
Ack! Aric, sorry about that.. I think that I've been almost fooled by that once before and caught myself. The other problem is the format that Outlook displays names in. Some are Firstname Lastname i.e. 'Jennifer Fountain' (or just firstname / nickname / pseudonym, i.e. 'joe') or Lastname, Firstname (i.e. 'Wells, Dean'). Or, Bernard, Aric. That's my excuse - I'm sticking to it Not exactly on the same lines, but a guy I used to work with was named Martin Ferry. Imagine what we called him In the form of a verb and a proper noun, please Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old
RE: [ActiveDir] AD migration
See inline below Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Do you mean check off associate with external account on the user attrib? [RTK] If you mean the ACE Associate with External Account in the ACL of the Mail-enabled disabled user - which should have a new entry of [domain in other forest\user], yep. That's the one. I seem to remember that there is at least one maybe two more ACEs that need to be checked as well. Should become apparent pretty quickly. If you can't find it - I'll dig it up. Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) [RTK] The Exchange server in the old forest still has associated GCs, so yes - the GCs that are located by the Exchange servers are still used for the purposes that they are needed for. also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. [RTK] It's important to understand a specific distinction - especially when related to E2k and E2k3. The dependency is on NetBIOS name resolution - not specifically the Application layer API NetBIOS. Remember - NetBIOS is not a protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and have WINS - you're going to work fine with what you state above. Thanks On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive
RE: [ActiveDir] AD migration
Hey Tom - sounds like fun. The phrase they are cut of from the root domain physically combined with both dns zones are in the root and they don't have any dns locally sounds a bit unrealistic - this should naturally cause numerous replication issues; basically nothing should work (even normal authentication) as it all requires DNS lookup. So I'm guessing that you do have some DNS servers in your child domains and it would be worthwhile for you to check if there are any secondary zones from the root domain (or the _msdcs subzone) being hosted on your child DCs or another DNS server used in your network. But your task doesn't seem to be fixing the current AD implementation, but rather to move away from it. DNS name-resolution is critical for any kind of trust in AD (except for trusts to NT4 domains which is not your scenario), however, you do not require EA permissions to set them up from your child domain to another domain in a new forest. But naturally you won't be able to creat a forest-trust (i.e. from root of current forest to root of new forest). The names of those domains that are directly trusted can NOT be the same (need to have different NetBios domain names). So yes, migration should work and even if you don't want to fix the current caos, you should ensure that DNS works well (in worst case concentrate on creating a workaround just for your child-domain - which should be sufficient for trust creation to your new forest where I'm sure you fully control DNS). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Dienstag, 9. August 2005 00:09 To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration paths (divesting forests)
We have traditionally done a single, full migration - workstations, servers and accounts all at once. It tends to make for long weekends, but you only touch each client machine once. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 10:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Migration paths (divesting forests) Our company is divesting part of the organization into a separate company. That means we need to split our AD forest into two separate forest. We have an sense of how we are going to do it but one question I have is the sequence. We are going to build the new forest (both forests are empty root, single domain) and set up an external trust between the two main domains. One plan has us migrating resources such as workstations, servers, etc to the new forest maintaining ACLs, etc to the resources and then migrate accounts towards the end. The second plan has us migrating the accounts first and using SID history to maintain access to legacy resources until they are migrated to the new domain. Both plans seem to work technically but we are not sure of best practices as far as the migration. A recent talk at MEC suggested the later as opposed to the former. Since we have not gone through this before in our organization, I was hoping that folks that have gone through this might shed some light... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
