Re: Merging to different Forests and Domains...
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Wed, 1 Mar 2006 20:50:05 +0100
Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
GPOs, delegations, DNS, WINS, DHCP, etc.)
* Setup name resolution (WINS or DNS) between source and target
domain/forest
* Setup trusts (if an external trust is configured and sidhistory is used,
disable sid filtering)
* Install and configure migration tooling
* Migrate groups, user accounts with passwords and group memberships (with
sidhistory)
* Migrate clients from the source domain to the target domain, translate
security on the client, and translate profiles (at this moment users start
logging on with their new AD account on the migrated clients that have been
migrated previously to the w2k3 domain)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data/resources from source security
principals to target security principals (replace the security descriptors
from the old domain with the security descriptors from the new domain )
* Cleanup temporary configurations
* Cleanup sidhistory (recommended!). sIDHistory is used to access resources
while those resources still have security descriptors from the old domain.
As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed
sIDHistory can be cleaned. Sidhistory should only be used temporary for
migration purposes!
* Remove trusts
* Decommission old domain(s)
For more info on migrating to an AD domain also see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx
ADMTv3 has been out for a while, so be sure to use that version.
(http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)
SID filtering is ALWAYS configured on the outgoing part of a trust! (not
saying now if it is disabled or not!!!)
On the outgoing trust (source --> target) sidfiltering is enabled by default
if the trusts was created on a W2KSP4 DC or higher (it is disabled by
default if the trust was created on a W2KSP3 DC or earlier(and thus NT4
also!). This TRUE for external trusts, but not for forest trusts (only
possible between W2K3 forests with both Forest functional level Windows
Server 2003) (what the document says about forest trust and SID filtering
being enabled is WRONG!)
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"dave.mudgett" <davemudgett@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1454F12-BD96-4844-8D9E-6660FF8213C5@xxxxxxxxxxxxxxxx
I have a general question on procedures...
I have two different forests, abc.com and def.com. The have a trust
between
them, but the time has come to colapse def.com and migrate it into
def.com.
I was wondering if someone could point me in the right direction. I know
about the ADMT Utility, but was wondering what kind of affect it would
have
on my file server, print server and any workstation that is a member of
the
domain.
Thanks in advance for any help.
.
- Prev by Date: Re: help! - DC/Exchange server - access denied DSRM
- Next by Date: Re: Windows 2003 R2
- Previous by thread: Re: help! - DC/Exchange server - access denied DSRM
- Next by thread: Re: Merging to different Forests and Domains...
- Index(es):
Relevant Pages
|
Loading
