RE: decommissioning the old domain after inter-forest migration

Hi,

"My theory is since users seems to be working correctly at this point, we
can possibly remove the sourcedomain\group from the file server security
tab to verify if this breaks anything. ". Yes, it is good behavior.

"Do we need to do anything with SID History and SID filtering option (like
use command line to reset these). ". We suggest you do this since you no
longer need the source domain. However, It is also OK if you don't .


Best regards,

Vincent Xu
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>>Thread-Topic: decommissioning the old domain after inter-forest migration
>>thread-index: AcYXgpSVr1DiPPMmQIe+78rtzrZtjg==
>>X-WBNR-Posting-Host: 65.213.142.100
>>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>References: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
<UkfE4MZFGHA.3680@xxxxxxxxxxxxxxxxxxxxx>
<425B55EE-7765-4E62-974C-79011234F834@xxxxxxxxxxxxx>
<TmeSTR0FGHA.3152@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: RE: decommissioning the old domain after inter-forest migration
>>Date: Thu, 12 Jan 2006 06:15:03 -0800
>>Lines: 188
>>Message-ID: <ABB10D65-0A78-4EBF-8F45-726EBD129E3B@xxxxxxxxxxxxx>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 8bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:22011
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>We give the file/folder permission based on the group. All the groups are
>>migrated along with SID History. So, now if we go to the file server
which is
>>migrated to the target domain from the source domain using computer
migration
>>wizard, and look at the security tab of a folder, we see permission to
the
>>targetdomain\migrated group name, as well as source domain\group. I
believe
>>this is because we have two way trust between domain, we used migrate SID
>>History for the gorup and users and disabled Sid Filtering. My theory is
>>since users seems to be working correctly at this point, we can possibly
>>remove the sourcedomain\group from the file server security tab to verify
if
>>this breaks anything. Do we need to do anything with SID History and SID
>>filtering option (like use command line to reset these). Before
>>decommissioning, I am assuming we need to break the two way trust
between
>>forests, remove old exchange server and demote 2000 domain DC to member
>>server and retire them.
>>--
>>Dipti
>>
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi,
>>>
>>> Regarding your concerns, did you see the users in old domain in the ACL
of
>>> the folder on the file server now?
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: decommissioning the old domain after inter-forest
migration
>>> >>thread-index: AcYW7T5a7RqU9eS6S2SuETZXp67Yzw==
>>> >>X-WBNR-Posting-Host: 65.213.142.100
>>> >>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>> >>References: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
>>> <UkfE4MZFGHA.3680@xxxxxxxxxxxxxxxxxxxxx>
>>> >>Subject: RE: decommissioning the old domain after inter-forest
migration
>>> >>Date: Wed, 11 Jan 2006 12:26:03 -0800
>>> >>Lines: 100
>>> >>Message-ID: <425B55EE-7765-4E62-974C-79011234F834@xxxxxxxxxxxxx>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >> charset="Utf-8"
>>> >>Content-Transfer-Encoding: 8bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.migration
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.migration:21999
>>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
>>> >>
>>> >>we will not be needing the source domain after one month. So one
month
>>> from
>>> >>today, if I decommission the source domain totally, user permission
to
>>> all
>>> >>files and folders in target domain are going to work correctly even
if I
>>> do
>>> >>not run computer migration on file server in replace mode-- right?
My
>>> boss
>>> >>does not want to run computer migration in replace mode again. He is
>>> afraid
>>> >>if we run in replace mode again, file/folder permission may get
messed
>>> up. I
>>> >>am thinking if we do not run computer migration on file server in
replace
>>> >>mode and decommission source domain, may be we will see some
questionable
>>> sid
>>> >>in security tab which will be associated with source domain and we
can
>>> just
>>> >>delete those manually as we come accross these. What do you suggest.
>>> >>Dipti
>>> >>
>>> >>
>>> >>"Vincent Xu [MSFT]" wrote:
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> As you read in the TechNet article, we recommend you run Security
>>> >>> Translation in replace mode to prevent SID history redundancy. If
you
>>> no
>>> >>> longer need the old domain, we may suggest you do this. However, if
you
>>> >>> don't do this step, also doesn't matter.
>>> >>>
>>> >>>
>>> >>> Best regards,
>>> >>>
>>> >>> Vincent Xu
>>> >>> Microsoft Online Partner Support
>>> >>>
>>> >>> Get Secure! - www.microsoft.com/security
>>> >>>
>>> >>> When responding to posts, please "Reply to Group" via your
newsreader
>>> so
>>> >>> that others may learn and benefit from your issue.
>>> >>>
>>> >>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> >>>
>>> >>>
>>> >>> --------------------
>>> >>> >>Thread-Topic: decommissioning the old domain after inter-forest
>>> migration
>>> >>> >>thread-index: AcYVWYOpVfUNNAbUQFuewKm8hEKA1w==
>>> >>> >>X-WBNR-Posting-Host: 65.213.142.100
>>> >>> >>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>> >>> >>Subject: decommissioning the old domain after inter-forest
migration
>>> >>> >>Date: Mon, 9 Jan 2006 12:16:03 -0800
>>> >>> >>Lines: 32
>>> >>> >>Message-ID: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
>>> >>> >>MIME-Version: 1.0
>>> >>> >>Content-Type: text/plain;
>>> >>> >> charset="Utf-8"
>>> >>> >>Content-Transfer-Encoding: 8bit
>>> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>> >>Content-Class: urn:content-classes:message
>>> >>> >>Importance: normal
>>> >>> >>Priority: normal
>>> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>> >>Newsgroups: microsoft.public.windows.server.migration
>>> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> >>> microsoft.public.windows.server.migration:21954
>>> >>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
>>> >>> >>
>>> >>> >>Hello,
>>> >>> >>
>>> >>> >>Here is my question regarding decommissioning the old domain.
>>> >>> >>
>>> >>> >>Here is the basic info:
>>> >>> >>
>>> >>> >>We used ADMT V3 to migrate users account, computer account, file
>>> servers.
>>> >>> >>Every thing seems to be working now. We also migrated exchange
server
>>> >>> from
>>> >>> >>source to target domain using exchange migration wizard.
>>> >>> >>
>>> >>> >>During the migration I have choose the following options:
>>> >>> >>
>>> >>> >>1) For user migration, I h chose to enable target accounts -- and
>>> disable
>>> >>> >>source account in 60 days.
>>> >>> >>
>>> >>> >>2) For computer migration, I chose to use "Add" mode instead of
>>> >>> "replace"
>>> >>> >>mode.
>>> >>> >>
>>> >>> >>3) We chose to use SID History and Sid filtering.
>>> >>> >>
>>> >>> >>Now that we are almost to the point to decommission our source
domain
>>> >>> (old
>>> >>> >>windows 2000 domain), I am wondering what I need to do to
accomplish
>>> this
>>> >>> >>without getting into problem after decommissioning old domain.
>>> >>> >>
>>> >>> >>In the documentation for " restructuring active Directory domain
>>> between
>>> >>> >>forestÃ?¢ââ?? I believe it is recommended to run computer
migration
>>> again in
>>> >>> >>"Replace" mode for the file servers(I need to refresh my memory).
Is
>>> this
>>> >>> a
>>> >>> >>necessary step? How do you go about decommissioning old domain
for
>>> good.
>>> >>> >>
>>> >>> >>Thanks.
>>> >>> >>--
>>> >>> >>Dipti
>>> >>> >>
>>> >>>
>>> >>>
>>> >>
>>>
>>>
>>

.

Relevant Pages

  • RE: ReACL when migration a FileServer between domains
    ... my understanding is the migration file server. ... We can simply migrate the user accounts with "Add" mode by preserving the ... SID history of the source domain in the target domain. ...
    (microsoft.public.windows.server.migration)
  • RE: decommissioning the old domain after inter-forest migration
    ... now if we go to the file server which is ... this is because we have two way trust between domain, we used migrate SID ... >>>we will not be needing the source domain after one month. ... >>>does not want to run computer migration in replace mode again. ...
    (microsoft.public.windows.server.migration)
  • RE: decommissioning the old domain after inter-forest migration
    ... Translate security on the file server in "remove" mode with the option to ... > "Do we need to do anything with SID History and SID filtering option (like ... > Microsoft Online Partner Support ...
    (microsoft.public.windows.server.migration)
  • RE: Apending ACL in file mirgration between forests
    ... it can only keep the same ACL. ... member server by using ADMT->computer migration or security migration. ... able to update your profile and access the the partner newsgroups. ... you can use FSMT to migrate data from a file server in one ...
    (microsoft.public.windows.server.migration)
  • RE: FSMT without DFS
    ... will I be able to retain the UNC after the migration using ... How can I keep the OFS in commission concurrently with the NFS after ... General Steps of Migration and adjusting the corresponding record in DNS ... Install "File Server Migration Toolkit" on target file server. ...
    (microsoft.public.windows.server.migration)