Active Directory migration from domain X to Y

Similar Messages

• Active Directory Migration from 2003 to 2012 Process Flow

  We are planning to migrate from Windows Server 2003 AD to Windows server 2012 Server for 6000 Users,
  Can any one suggest  on Following .
  1)What is the Best and Safe Way to do Migration
  2) What are the Precautions should take,
  3) How much downtime it will take,
  4) If migration Failed how we can revert to Earlier
  5) How to do Migration Step by Step
  Current Environment:
  Domain Having  One PDC(server 2003 R2) and 8 ADC(Server 2003 R2) in Different Locations
  PDC having All FSMO Roles and Global Catalog
  Exchange server 2007 was integrated to Active Directory 
  And some Application are integrated to  Active Directory 

  1) I would recommend you first run a test of the steps in test before you do this in production.  Otherwise your production becomes test.
  2) By doing in test, you have taken a large amount of the risk out of the upgrade since, in test you should be able to look for any unforseen issues.  The easiest way to test is to build a virtual fence from production and clone the DC's and member
  servers that you want to test against (This is assuming you are running in a virtual environment).  Ensure that you production environment is error free.
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
  3) There should be no downtime at all, you can just extend the schema and then promote a new 2012 DC (I would recommend R2 if you can).
  4) Before you do the schema extension you should take 2 backups on two different DC's.  Taking two gives you less of a chance of a problem if one of the backups fails.
  5)
  Take a backup
  Extend the schema
  Join the 2012 R2 servers to the domain
  Add the ADDS role to the 2012 R2 member servers
  Promote the 2012 R2 DC's
  Transfer the FSMO roles to the 2012 R2 DC's (Not required but recommended)
  If you want to retire the 2003 DC's, then you will need to make sure that any clients pointing to the 2003 DC's for DNS are pointing to other DC's.
  If you do retire the 2003 then you can think about updating the DFL and FFL of the domain and forest.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Active Directory Cross Forest Domain Migration

  Dear All,
  We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
  going to start consolidation.
  What is the best practices and what tool should we use for domain migration/consolidation
  Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
  directly from windows 2003 to windows 2012?
  When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
  After moving some computers to new domain would be possible to access remaining computers on old domain?
  How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
  Is there any policy to register network printers on new Active Directory domain?
  How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
  Kindly give your valuable input to meet the desire result.
  Thanks in Advance.

  Dear Lucky,
   Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
  have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
  can access old domain and new users are in new domain.For more info please follow the given link:
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre.

• Query Microsoft Active Directory info from PL/SQL

  Hi,
  We are developping an APEX application that would need to query information about the enterprise computers defined on the Active directory. Anyone knows it would be possible acces to this info from PL/SQL?
  I ahve read that exists a package that enables manipulate COM objectes (http://download-east.oracle.com/docs/cd/B10501_01/win.920/a95499/ch3core.htm#1006978)
  and I know that they exists COM interfases to Active Diretory (they are named Active Directory Service Interfaces (ADSI) ) but I have no idea if its possible to succesfully merge these 2 concepts.
  Has anyone tried to query Active directory info from PL/SQL using COM components or any other method?
  Thanks by advance

  Why not use DBMS_LDAP? That is what APEX's (built-in) LDAP authentication module uses. And it works just fine (doing a bind call) against a MS Active Directory Server.
  As for mucking about with COM from Oracle.. me no like. That ties your Oracle and PL/SQL to a specific operating system and you loose of the biggest advantages of Oracle - portability. Worse, you are at the mercy of the o/s vendor sticking to whatever standards used. In the case of Microsoft, that means mostly proprietary "standards" and very likely changes in those "standards" with every new version of the o/s - which will break your software. (personal experience talking)
  Rather let Oracle deal with the o/s complexities and restrict your code to using Oracle features only, as far as possible.

• SBS 2008 to Server 2012 R2 Active Directory Migration

  Is there a tool that i can use to migrate Active Directory from SBS 2008 to Server 2012 R2?

  There is no special tool for your situation. While there is a tool called ADMT that you may see mentioned if you search enough, it isn't really well suited for what you want.
  With that said, there is also no *need* for a tool as I've already said. Nor do you need to recreate the users and have mismatched SIDs. You will add the 2012 machine to your existing domain and make it a domain controller. Yes, that means you will have
  two DCs (for a time.)  This is how larger organizations handle multiple DCs all the time, and they obviously don't go and create the same user on each DC. That is where the domain replication comes in.  Your new server will be a DC and will replicate
  all of the users *and* SIDs from the existing SBS server. 
  Then, when you are ready, you decommission the SBS 2008 server gracefully and the new 2012 server becomes your sole DC, but has AD completely intact. It is a tried and true practice, both within and outside of the SBS world, and has been done many many times.

• Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest

  I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?

  Well, I’ve made some encouraging progress.
  I’ve managed to log on!
  I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
  Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
  I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
  I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
  Re-bound it to AD and boom CPU shot right back up.
  I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
  If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
  Plan going forward:
  I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
  If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
  It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
  I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you.

• Active Directory logins from Windows to Final Cut Server

  While I did manage to solve my main problem with Integrating AD with Final Cut Server at this one site.... It turns out that there a typo in the kerberos config file. Ooops. Now logins in from Mac OS using AD credentials works well. Unfortunately, I am still seeing some minor issues, like certain groups in AD not being able to login, and for some reason the Windows users can't login (only the Macs using AD credentials). Any seeing anything like this? Of course I enabled certain groups in Final Cut Server pref pane to match certain AD groups, but in the end only the BuiltIn groups worked, not the Domain Users, Domain Admin groups. Strange. And not sure why Windows users can't login. Same domain. Fun times.

  It seems like I read the inital Kb article wrong. The Windows clients get the krb5.ini file, not the Domain Controller. LOL. Thanks to drew for pointing that out to me.
  http://support.apple.com/kb/HT3688
  In order for Active Directory bound Windows Final Cut Server client systems to successfully authenticate to Final Cut Server, you must create a custom Kerberos configuration file on the Windows client system.

• Active directory migration , profile migration using admt

  Hi,
        I have request to migrate the users using admt tool, where profile avg size is 100 mb. how much approx time it should take..  considering below
  1. if profile is local or roaming , does it make any difference in time taken
  2. size of profile is 10 mb and 100 mb, should i assume assume it should take 10 time more time?
  3. what are the other parameters can affect time taken for migration
  thanks

  I think what you need to use is User State Migration Toolkit (USMT), ADMT is used for migration of domain accounts and from the way I am reading this it sounds like you are trying to migrate profiles on a desktop.
  http://technet.microsoft.com/en-us/library/dd560801(v=WS.10).aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Active Directory Forest root domain name

  Hi MSFT Community!
  I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
  Thank you!

  Hi MSFT Community!
  I've been away from AD for a little while and I'm wondering: is company.lan or company.local still a current/recommended practice for instantiating a new root Active Directory domain for a growing company?
  I would rather you to stick with ad.company.com where the company.com is the website. Actually I prefer to use a child domain for AD tasks. 
  Why you shouldn't use .local in your Active Directory domain name.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Retrieving Active Directory infomation from SQL Server

  Dear All
  We have a requirement to load active directory users and user groups into a SQL Server database. Looking at the information available it seems you need to create a Linked Server of type 'Active Directory Service Interfaces'. Creating a linked server will
  be a problem for out customers so I was wondering if there was another way of doing it. I will accept all ideas no matter how odd :D
  Thanks
  Peter

  Please refer the below link for incremental loading of data from AD:
  http://beyondrelational.com/modules/2/blogs/557/posts/15401/incremental-dl-porting-in-sql-server-querying-ldap-to-get-the-users-belongs-to-a-dl-group-in-sql-ser.aspx

• Active Directory Migration

  I was wondering if anyone knew right off hand if you can migrate an account that was create on the mac by being bound to one domain to another domain?
  The reason I ask is we are moving to a new domain name/tree and once i change that binding I can no longer log into the system.

  The User folder was created on the local Mac and the domain was activated on the new domain.
  When I bind to the new domain i cannot log into the "old" profile anymore until i would switch the domain back over.

• Open Directory Migration from Mac OSX Server 10.4 to 10.8?

  Hi All,
  This might be a silly question and apologise in advanced if this is?
  We are running on old Xserve (10.4.8) with approx. 100 Mac clients and would like to know if it's possible to migrate from OD 10.4 to OD 10.8. We tried just to see what would happen if we archived the old OD and re-imported in to 10.8, but as we guessed this didn’t work. I’ve looked through this forum and seems most are doing this from 10.5, so wondering if we need to upgrade to 10.5 and then up to 10.8?
  Any pointers would be great.
  Many thanks.
  Mike

  If you don't mind clearing ser passwords, then I would export users from 10.4 and import into 10.8
  There are some issues with service ACLs in doing this, but its still the fastest process.
  If users are allowed to set their own PW, the you give provide preset pw's (either unique or common) and a URL to allow users to reset their PW.
  If you need to retain passwords, what I would do is clone the 10.4 server, then upgrade it all the way to 10.8 then archive OD from that and import into a clean-install of 10.8 server.
  Whataver you do, don't rely on a 10.4 to 10.8 migration, you'll want a clean 10.8 install.
  The offline 10.4 -> 10.8 would allow you to retain PWs, but it creates alot of extra work for you.

• Active Directory Migration Tool Issue

  Hi,
  I am currently doing a pilot to migrate users from a Windows Server 2003 Forest (2000 FFL, 2003 DFL) into Windows Server 2008 R2 (2008R2 FFL, 2008R2 DFL).
  There is an External Trust setup between the 2 forests.
  Having successfully migrated some test users and groups from Source to Target domain, I am able to access resources on a file server located in the Source domain (due to SID history being migrated along with SID Filtering being disabled)
  My issue is that I want to now use the Security Translation Wizard to add the newly migrated users and groups to the Source File Servers ACLs, Registry etc.
  ADMT is installed on a Target DC and when I run the Security Translation wizard it fails and the log shows the below...
  Details for DC01.SourceDomain
  Local Machine
      Computer:   DC01.SourceDomain (DC01)
          Domain:    DC01 (DC01)
          OS:         Microsoft Windows Server 2003 R2 5.2 (3790) Service Pack 2
  2012-03-08 15:57:47 Starting Security Translator.
  2012-03-08 15:57:47 Agent is running in local mode.
  2012-03-08 15:57:47 ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent\Accounts000026.txt
  2012-03-08 15:57:47 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes TranslationMode:Add CWN WIRRAL.NHS.UK
  2012-03-08 15:57:47 Starting
  2012-03-08 15:57:47 Translating local machine.
  2012-03-08 15:57:48 Skipping A:\, rc=21   The device is not ready.
  2012-03-08 15:57:48 Processing C:\
  2012-03-08 15:57:51 Skipping D:\.  D:\ is a CD-ROM drive.
  2012-03-08 15:57:51 Processing E:\
  2012-03-08 15:57:51 Processing shares on local machine.
  2012-03-08 15:57:51 Processing printer security...
  2012-03-08 15:57:51 Translating local groups.
  2012-03-08 15:57:51 Translating user rights.
  2012-03-08 15:57:51 Translating security on registry keys.
  2012-03-08 15:58:11 ------Account Detail---------
  2012-03-08 15:58:11 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
  2012-03-08 15:58:11 -----------------------------
  2012-03-08 15:58:11 0 users, 0 groups, 0 msas
  2012-03-08 15:58:11 0 accounts selected.  0 resolved, 0 unresolved.
  2012-03-08 15:58:11            Examined        Changed     Unchanged
  2012-03-08 15:58:11 Files          11755              0         11755
  2012-03-08 15:58:11 Dirs            1071              0          1071
  2012-03-08 15:58:11 Shares             4              0             4
  2012-03-08 15:58:11 Members           15              0            15
  2012-03-08 15:58:11 User Rights       61              0            61
  2012-03-08 15:58:11 Exchange Objects          0              0             0
  2012-03-08 15:58:11 Containers         0              0             0
  2012-03-08 15:58:11 DACLs         123187              0        123187
  2012-03-08 15:58:11 SACLs             63              0            63
  2012-03-08 15:58:11            Examined        Changed     No Target   Not Selected     Unknown
  2012-03-08 15:58:11 Owners       123189              0        123189             
  0           0
  2012-03-08 15:58:11 Groups       123189              0        123189             
  0           0
  2012-03-08 15:58:11 DACEs       1003913              0       1003913        1003913          
  0
  2012-03-08 15:58:11 SACEs            66              0            66            
  66           0
  2012-03-08 15:58:12 Wrote result file C:\WINDOWS\OnePointDomainAgent\000026_CWN-DC01.result
  2012-03-08 15:58:12 Operation completed.
  The error is looking for C:\Program Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the Source Server (where the Agent is installed)
  Can anyone help please?

  Howdie!
  On 08.03.2012 17:32, Wrightyi28 wrote:
  > ADMT is installed on a Target DC and when I run the Security Translation
  > wizard it fails and the log shows the below...
  > [...]
  > The error is looking for C:\Program
  > Files\OnePointDomainAgent\Accounts000026.txt which does not exist on the
  > Source Server (where the Agent is installed)
  Is/was AGPM installed on the server you ran the security translation
  agent on?
  Florian
  The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.

• Open Directory Migration from Mac OSX Server 10.4.11 to 10.8?

  I manage an old (2004) G5 Xserve still successfully running OS X 10.4.11 with about 450 users in the Open Directory. I just purchased a Mac mini Server which will run OSX Server 10.8. I want to migrate all the user accounts from the old G5 Xserve to the new Mac Mini server. Can someone spell out the step-by-step process or point me to a document that can help me. I have searched through many of the apple discussion forum threads and Apple Server migration docs, but have not found a clear path to follow to get the old OSX 10.4.11 user accounts onto the new OSX 10.8 Mac Mini server. 
  The G5 server does not serve mail, print, or any other services other than the user accounts (home directories) for the users.
  Help!!!  Thanks.
  John

  If you don't mind clearing ser passwords, then I would export users from 10.4 and import into 10.8
  There are some issues with service ACLs in doing this, but its still the fastest process.
  If users are allowed to set their own PW, the you give provide preset pw's (either unique or common) and a URL to allow users to reset their PW.
  If you need to retain passwords, what I would do is clone the 10.4 server, then upgrade it all the way to 10.8 then archive OD from that and import into a clean-install of 10.8 server.
  Whataver you do, don't rely on a 10.4 to 10.8 migration, you'll want a clean 10.8 install.
  The offline 10.4 -> 10.8 would allow you to retain PWs, but it creates alot of extra work for you.

• Active Directory Migration Tool Moving Users before groups?

  How are permissions to resources granted? By user or by group?
  It's been so long I can't actually remember, but I think we moved users and groups together.
  The SIDs will change if things are moving to a new domain.  But the migration tool handles that for you.

  What are the draw backs of migration users before groups in a interdomain migration? if any
  This topic first appeared in the Spiceworks Community