Re: Server 2003 Domain Migration
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Mon, 17 Apr 2006 07:40:03 +0200
Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
GPOs, delegations, DNS, WINS, DHCP, etc.)
* Setup name resolution (WINS or DNS) between source and target
domain/forest
* Setup trusts (if an external trust is configured and sidhistory is used,
disable sid filtering)
* Install and configure migration tooling
* Migrate groups, user accounts with passwords and group memberships (with
sidhistory)
* Migrate clients from the source domain to the target domain, translate
security on the client, and translate profiles (at this moment users start
logging on with their new AD account on the migrated clients that have been
migrated previously to the w2k3 domain)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data/resources from source security
principals to target security principals (replace the security descriptors
from the old domain with the security descriptors from the new domain )
* Cleanup temporary configurations
* Cleanup sidhistory (recommended!). sIDHistory is used to access resources
while those resources still have security descriptors from the old domain.
As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed
sIDHistory can be cleaned. Sidhistory should only be used temporary for
migration purposes!
* Remove trusts
* Decommission old domain(s)
For more info on migrating to an AD domain also see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx
ADMTv3 has been out for a while, so be sure to use that version.
(http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)
DOMAIN A ------------------> DOMAIN B
^ ^ ^
| | |
| trust |
| |
| incoming
outgoing
SID filtering is ALWAYS configured on the outgoing part of a trust! (not
saying now if it is disabled or not!!!)
On the outgoing trust (source --> target) sidfiltering is enabled by default
if the trusts was created on a W2KSP4 DC or higher (it is disabled by
default if the trust was created on a W2KSP3 DC or earlier(and thus NT4
also!). This TRUE for external trusts, but not for forest trusts (only
possible between W2K3 forests with both Forest functional level Windows
Server 2003) (what the document says about forest trust and SID filtering
being enabled is WRONG!)
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
If you want to use sidhistory then sid filtering will have impact on that if
SID filtering is enabled on the outgoing side of the trust. Disable it for
the moment you use sidhistory if it is enabled
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"domer" <domer@xxxxxxxxxxxxxxxx> wrote in message
news:eclZQZmXGHA.128@xxxxxxxxxxxxxxxxxxxxxxx
My company changed its name over a year ago but still has many lingering
services with the old name. One of these is our DNS structure and Active
Directory domain. The short of my question is this:
We have decided to rearchitect our AD from the ground up to take
advantages of more features and address issues with our current setup. At
the same time we want to change our DNS structure to reflect our new name.
We currently have 2 domain controllers running windows server 2003. These
servers will be decommisioned and replaced with new servers hosting our
new domain. I would like to configure these new servers seperate from my
current configuration, then migrate all data from the old domain to the
new domain. I have looked for resources that walk thru the process of
doing this type of migration but have not found enough to be comfortable
moving forward. If anyone can provide whitepapers, checklists, or books
that I can study to get an idea of the scope of this project, and move
forward with this project I would appreciate it.
.
- Follow-Ups:
- Re: Server 2003 Domain Migration
- From: Webster
- Re: Server 2003 Domain Migration
- References:
- Server 2003 Domain Migration
- From: domer
- Server 2003 Domain Migration
- Prev by Date: RE: Install without R2 ?
- Next by Date: Re: What to do with DHCP and WINS Services (during and after migration)
- Previous by thread: RE: Server 2003 Domain Migration
- Next by thread: Re: Server 2003 Domain Migration
- Index(es):
Relevant Pages
|
