RE: decommissioning the old domain after inter-forest migration
- From: "Dipti" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 Jan 2006 13:56:03 -0800
Thank you for your response. Now I would like to know if there is a easier
way to remove the access right for the sourcedomain\groups from the file
server. We have multiple file servers with hugh amount of file/folders. I
find it to be a daunting task to remove sourcedomain\groups from migrated
file server. What is my options here? Any script or tools available for it.?
Translate security on the file server in "remove" mode with the option to
remove user rights does not seem to accomplish anything.
--
Dipti
"Vincent Xu [MSFT]" wrote:
> Hi,
>
> "My theory is since users seems to be working correctly at this point, we
> can possibly remove the sourcedomain\group from the file server security
> tab to verify if this breaks anything. ". Yes, it is good behavior.
>
> "Do we need to do anything with SID History and SID filtering option (like
> use command line to reset these). ". We suggest you do this since you no
> longer need the source domain. However, It is also OK if you don't .
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> Business-Critical Phone Support (BCPS) provides you with technical phone
> support at no charge during critical LAN outages or "business down"
> situations. This benefit is available 24 hours a day, 7 days a week to all
> Microsoft technology partners in the United States and Canada.
>
> This and other support options are available here:
> BCPS:
> https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
> Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/
>
> If you are outside the United States, please visit our International
> Support page: http://support.microsoft.com/common/international.aspx.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >>Thread-Topic: decommissioning the old domain after inter-forest migration
> >>thread-index: AcYXgpSVr1DiPPMmQIe+78rtzrZtjg==
> >>X-WBNR-Posting-Host: 65.213.142.100
> >>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >>References: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
> <UkfE4MZFGHA.3680@xxxxxxxxxxxxxxxxxxxxx>
> <425B55EE-7765-4E62-974C-79011234F834@xxxxxxxxxxxxx>
> <TmeSTR0FGHA.3152@xxxxxxxxxxxxxxxxxxxxx>
> >>Subject: RE: decommissioning the old domain after inter-forest migration
> >>Date: Thu, 12 Jan 2006 06:15:03 -0800
> >>Lines: 188
> >>Message-ID: <ABB10D65-0A78-4EBF-8F45-726EBD129E3B@xxxxxxxxxxxxx>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >> charset="Utf-8"
> >>Content-Transfer-Encoding: 8bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.migration
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.migration:22011
> >>X-Tomcat-NG: microsoft.public.windows.server.migration
> >>
> >>We give the file/folder permission based on the group. All the groups are
> >>migrated along with SID History. So, now if we go to the file server
> which is
> >>migrated to the target domain from the source domain using computer
> migration
> >>wizard, and look at the security tab of a folder, we see permission to
> the
> >>targetdomain\migrated group name, as well as source domain\group. I
> believe
> >>this is because we have two way trust between domain, we used migrate SID
> >>History for the gorup and users and disabled Sid Filtering. My theory is
> >>since users seems to be working correctly at this point, we can possibly
> >>remove the sourcedomain\group from the file server security tab to verify
> if
> >>this breaks anything. Do we need to do anything with SID History and SID
> >>filtering option (like use command line to reset these). Before
> >>decommissioning, I am assuming we need to break the two way trust
> between
> >>forests, remove old exchange server and demote 2000 domain DC to member
> >>server and retire them.
> >>--
> >>Dipti
> >>
> >>
> >>"Vincent Xu [MSFT]" wrote:
> >>
> >>> Hi,
> >>>
> >>> Regarding your concerns, did you see the users in old domain in the ACL
> of
> >>> the folder on the file server now?
> >>>
> >>>
> >>> Best regards,
> >>>
> >>> Vincent Xu
> >>> Microsoft Online Partner Support
> >>>
> >>> Get Secure! - www.microsoft.com/security
> >>>
> >>> When responding to posts, please "Reply to Group" via your newsreader
> so
> >>> that others may learn and benefit from your issue.
> >>>
> >>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >>>
> >>>
> >>> --------------------
> >>> >>Thread-Topic: decommissioning the old domain after inter-forest
> migration
> >>> >>thread-index: AcYW7T5a7RqU9eS6S2SuETZXp67Yzw==
> >>> >>X-WBNR-Posting-Host: 65.213.142.100
> >>> >>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >>> >>References: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
> >>> <UkfE4MZFGHA.3680@xxxxxxxxxxxxxxxxxxxxx>
> >>> >>Subject: RE: decommissioning the old domain after inter-forest
> migration
> >>> >>Date: Wed, 11 Jan 2006 12:26:03 -0800
> >>> >>Lines: 100
> >>> >>Message-ID: <425B55EE-7765-4E62-974C-79011234F834@xxxxxxxxxxxxx>
> >>> >>MIME-Version: 1.0
> >>> >>Content-Type: text/plain;
> >>> >> charset="Utf-8"
> >>> >>Content-Transfer-Encoding: 8bit
> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>> >>Content-Class: urn:content-classes:message
> >>> >>Importance: normal
> >>> >>Priority: normal
> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>> >>Newsgroups: microsoft.public.windows.server.migration
> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
> >>> microsoft.public.windows.server.migration:21999
> >>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
> >>> >>
> >>> >>we will not be needing the source domain after one month. So one
> month
> >>> from
> >>> >>today, if I decommission the source domain totally, user permission
> to
> >>> all
> >>> >>files and folders in target domain are going to work correctly even
> if I
> >>> do
> >>> >>not run computer migration on file server in replace mode-- right?
> My
> >>> boss
> >>> >>does not want to run computer migration in replace mode again. He is
> >>> afraid
> >>> >>if we run in replace mode again, file/folder permission may get
> messed
> >>> up. I
> >>> >>am thinking if we do not run computer migration on file server in
> replace
> >>> >>mode and decommission source domain, may be we will see some
> questionable
> >>> sid
> >>> >>in security tab which will be associated with source domain and we
> can
> >>> just
> >>> >>delete those manually as we come accross these. What do you suggest.
> >>> >>Dipti
> >>> >>
> >>> >>
> >>> >>"Vincent Xu [MSFT]" wrote:
> >>> >>
> >>> >>> Hi,
> >>> >>>
> >>> >>> As you read in the TechNet article, we recommend you run Security
> >>> >>> Translation in replace mode to prevent SID history redundancy. If
> you
> >>> no
> >>> >>> longer need the old domain, we may suggest you do this. However, if
> you
> >>> >>> don't do this step, also doesn't matter.
> >>> >>>
> >>> >>>
> >>> >>> Best regards,
> >>> >>>
> >>> >>> Vincent Xu
> >>> >>> Microsoft Online Partner Support
> >>> >>>
> >>> >>> Get Secure! - www.microsoft.com/security
> >>> >>>
> >>> >>> When responding to posts, please "Reply to Group" via your
> newsreader
> >>> so
> >>> >>> that others may learn and benefit from your issue.
> >>> >>>
> >>> >>> This posting is provided "AS IS" with no warranties, and confers no
> >>> rights.
> >>> >>>
> >>> >>>
> >>> >>> --------------------
> >>> >>> >>Thread-Topic: decommissioning the old domain after inter-forest
> >>> migration
> >>> >>> >>thread-index: AcYVWYOpVfUNNAbUQFuewKm8hEKA1w==
> >>> >>> >>X-WBNR-Posting-Host: 65.213.142.100
> >>> >>> >>From: "=?Utf-8?B?RGlwdGk=?=" <Dipti@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >>> >>> >>Subject: decommissioning the old domain after inter-forest
> migration
> >>> >>> >>Date: Mon, 9 Jan 2006 12:16:03 -0800
> >>> >>> >>Lines: 32
> >>> >>> >>Message-ID: <46AC5DE4-25E3-4A72-93F0-6E50E4F01234@xxxxxxxxxxxxx>
> >>> >>> >>MIME-Version: 1.0
> >>> >>> >>Content-Type: text/plain;
> >>> >>> >> charset="Utf-8"
> >>> >>> >>Content-Transfer-Encoding: 8bit
> >>> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>> >>> >>Content-Class: urn:content-classes:message
> >>> >>> >>Importance: normal
> >>> >>> >>Priority: normal
> >>> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>> >>> >>Newsgroups: microsoft.public.windows.server.migration
> >>> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>> >>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
> >>> >>> microsoft.public.windows.server.migration:21954
> >>> >>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
> >>> >>> >>
> >>> >>> >>Hello,
> >>> >>> >>
> >>> >>> >>Here is my question regarding decommissioning the old domain.
> >>> >>> >>
> >>> >>> >>Here is the basic info:
> >>> >>> >>
> >>> >>> >>We used ADMT V3 to migrate users account, computer account, file
> >>> servers.
> >>> >>> >>Every thing seems to be working now. We also migrated exchange
> server
> >>> >>> from
> >>> >>> >>source to target domain using exchange migration wizard.
> >>> >>> >>
> >>> >>> >>During the migration I have choose the following options:
> >>> >>> >>
> >>> >>> >>1) For user migration, I h chose to enable target accounts -- and
> >>> disable
> >>> >>> >>source account in 60 days.
> >>> >>> >>
> >>> >>> >>2) For computer migration, I chose to use "Add" mode instead of
> >>> >>> "replace"
> >>> >>> >>mode.
> >>> >>> >>
> >>> >>> >>3) We chose to use SID History and Sid filtering.
> >>> >>> >>
> >>> >>> >>Now that we are almost to the point to decommission our source
> domain
> >>> >>> (old
> >>> >>> >>windows 2000 domain), I am wondering what I need to do to
> accomplish
> >>> this
> >>> >>> >>without getting into problem after decommissioning old domain.
> >>> >>> >>
> >>> >>> >>In the documentation for " restructuring active Directory domain
> >>> between
> >>> >>> >>forestââ� I believe it is recommended to run computer
> migration
> >>> again in
> >>> >>> >>"Replace" mode for the file servers(I need to refresh my memory).
> Is
> >>> this
> >>> >>> a
> >>> >>> >>necessary step? How do you go about decommissioning old domain
> for
> >>> good.
> >>> >>> >>
> >>> >>> >>Thanks.
> >>> >>> >>--
> >>> >>> >>Dipti
> >>> >>> >>
> >>> >>>
> >>> >>>
> >>> >>
> >>>
> >>>
> >>
>
>
.
- Follow-Ups:
- RE: decommissioning the old domain after inter-forest migration
- From: Vincent Xu [MSFT]
- RE: decommissioning the old domain after inter-forest migration
- References:
- RE: decommissioning the old domain after inter-forest migration
- From: Vincent Xu [MSFT]
- RE: decommissioning the old domain after inter-forest migration
- From: Dipti
- RE: decommissioning the old domain after inter-forest migration
- From: Vincent Xu [MSFT]
- RE: decommissioning the old domain after inter-forest migration
- From: Dipti
- RE: decommissioning the old domain after inter-forest migration
- From: Vincent Xu [MSFT]
- RE: decommissioning the old domain after inter-forest migration
- Prev by Date: Data Migration
- Next by Date: RE: Data Migration
- Previous by thread: RE: decommissioning the old domain after inter-forest migration
- Next by thread: RE: decommissioning the old domain after inter-forest migration
- Index(es):
Relevant Pages
|
