AD User migration to new domain
I have SharePoint site in Domain A with 1000 users. There will be new domain B setup. I need to migrate ShrePoint Site from domain A to domain B. The AD users SID will remain the same. Below are two possible solution
1. Install new SharePoint in Domain A. Restore the site from Domain A to Domain B. Migrate all 1000 users using move-Spuser or Stsadm command.
2. Change the domain for System hosting SharePoint. Then migrate the 1000 users using move-Spuser or Stsadm command
Will the permission remains same in case user is migrated or what can be other issues.
Please remember to mark the replies as answers or vote as helpful if they help.
So one thing to keep in mind is that disjoining/joining SharePoint farms from one domain to another isn't supported. Instead, the general process is to build a new farm in the target domain and recreate it, restoring backups of content/service application
databases as necessary.
Users cannot be moved from one domain to another without a SID change. Part of their SID stems from the domain they're a member of, and that changes when they're moved. There is a function called SIDHistory which stores previous SIDs from previous domains,
and this is commonly used. Despite that, you still need to issue a Move-SPUser, not only because their SID has changed, but because their domain name has changed.
One thing to note is that if you're using a Claims-enabled Web Application, you still must issue -IgnoreSID in the Move-SPUser cmdlet, regardless if SIDHistory is used or not during the migration.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
Issue in SQL-server migration to new domain
Hello,
I have a scenario, where i need to migrate SQL 2005 servers db's ( around 30, small ones) to new server in a new domain. Destinationserver is 2012 R2, running SQL2014
Domains have trust between them, and users have already been migrated to new domain. Users are using the databases with NT authing from the new domain (new logins & users have been created to old sql-server).
I have backed up db's from old server and restored them in new server. After that, i restored logins with following article's script:
http://support.microsoft.com/kb/918992
I cleaned from the login script logins that are not in use, change the domainname to new in CREATE LOGIN phase (for the users who did not have already login from new domain) and the script ran without errors.
User Mappings are like they should be on logins, however, the user & schema names are indicating to old domain. If i try to change them, i receive error about SID mismatch. This affects also users, who have already had new logins for new domain, their
usernames on mappings are also changed to old domain's username. What is causing this?Hi,
Could you try the following to migrate the logins and check the result?
1. You may drop all the windows login. Modify the script generated by sp_help_revlogin step and replace create login
to drop login.
2. Use the script generated by sp_help_revlogin step to create
Logins. Modify login name to accommodate new domain name.
3. Grant server level roles using the output from:
Generate Server level role related info :
SELECT 'EXEC sp_addsrvrolemember ''' +
p.name + ''' , ''' + r.name + ''';'
FROM
sys.server_principals r
INNER JOIN sys.server_role_members m ON r.principal_id = m.role_principal_id
INNER JOIN sys.server_principals p ON
p.principal_id = m.member_principal_id
WHERE
r.type ='R'
Sample Output :-
EXEC sp_addsrvrolemember 'sa' , 'sysadmin';
4. Map the SIDS using below command for all DB by using ALTER USER. For example:
ALTER USER [DomainA\UserA] with login = [DomainB\UserA]
See:
http://blogs.technet.com/b/mdegre/archive/2011/06/27/can-i-move-sql-server-to-another-domain.aspx
Here some useful articles:
http://www.databasejournal.com/features/mssql/article.php/3922256/Re-generating-SQL-Server-Logins.htm
http://support.microsoft.com/kb/918992/en-us
http://support.microsoft.com/kb/240872
Thanks.
Tracy Cai
TechNet Community Support -
Use old domain controller AD user profile with new domain (profile changed)
Dear All,
I have built Win Server 2012 for Domain migration from Windows Server 2003 to Windows Server 2012. I have tested all thing on VMware including user creation and tested Domain join using power shell for Win 7 and .VBs batch file for Win XP computers all thing
are working fine.
Let 1st I introduce my current environment. I have existing Win Server 2003 domain controller (abc.com) with 130 client computers and 200 users I am going to plan migrate my current environment to Win server 2012 Domain (xyz.com) Keep in mind that Domain
name is changed but Domain Controller (Server) names are same i.e MY-PDC . I have tested domain join on multiple computers using existing clone of client computers and create all existing users using .csv file and power shell with required
credentials and OU.I am facing the user profile issue when I join domain and login with existing user which was previously the user of same computer the required profile does not login and computer creates new user profile in Document and Settings section
of Win XP.
I need your expert opinions because copy old profile data and create new outlook profile for each user is a big headache for any one. Hope you people can understand and help me in this issue.
Please provide best answer and result on priority I will be thankful to all of you.
Regards,
ArsalanHi Arsalan,
Please check if USMT can help you to achieve this target.
User State Migration Tool 4.0 User's
Guide
Meanwhile, please also refer to following articles and check if can help you.
How
to Migrate Windows User Profile to New Account
Keeping user old domain profile
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If anything I misunderstand or any update, please don’t hesitate to let us know.
Hope this helps.
Best regards,
Justin Gu -
Move user profile to new domain profile on same computer
If you want to copy data and most of the preferences, I suggest Fab's AutoBackup 6 Pro.
http://www.fpnet.fr/Hello all
I've been given the tedious task of replacing a server with a new one using a different domain, then rejoining all of the desktops to the new domain.
There won't be any kind of migration, just rejoining desktops to new domain.
Has anyone got any recommendations on what would be the best way to transfer the desktops user profiles from the old domain profile to the new domain profile?
Any advice would be appreciated.
Thanks
This topic first appeared in the Spiceworks Community -
Migrate to new domain and new SCCM
The migration scenario is this:
All Clients are in Domain1 and are managed through SCCM 2012 with System Center Endpoint Protection 2012.
Some of the clients need to join a new domain and be managed through a new SCCM 2012 R2 server with System Center Endpoint Protection 2012 R2.
There are no trusts between the forests. Do we need to uninstall the SCCM 2012 Agent and SCEP 2012 and then install the new SCCM 2012 R2 Agent and SCEP 2012 R2?
Or can we just uninstall SCCM 2012 Agent only and keep SCEP 2012 and later install.There are multiple ways to go about it.
Assuming that the AD forest is properly extended and the new site's info is properly published, then you can simply run a script:
http://msdn.microsoft.com/en-us/library/cc146558.aspx
http://gallery.technet.microsoft.com/scriptcenter/Change-sccm-configmgr-cf6e0327/view/Discussions
If the two assumptions above aren't correct, then the client has no way of getting the trusted root key gracefully for the new site and running ccmsetup is the best way.
The ccmsetup bootstrapper will download files as needed from the closest DP but (from memory) won't redownload files if they are already present in the ccmsetup folder.
A client push is probably the easiest method to initiate ccmsetup because it can be managed from a central location -- just make sure you select the checkbox for always reinstall. Of course, as mentioned above, if someone has previously used the "group
policy" to assign the site to your clients, you'll need to clean up that mess first otherwise the clients will always try to assign to the old site.
Jason | http://blog.configmgrftw.com -
Subincacl tool with netapp cifs migration to new domain
Hello
I have DomainA (old) DomainB (new). i am migrating services from DomainA. to DomainB. i have a netapp filer running CIfS in DomainA. i have two way trust between two doamins. All the security groups have been migrated from DomainA
to DomainB with sid history via Quest tool . now i need to repermission ntfs on all the shares with DomainB. I tried usign subinacl tool with following syntax without success
subinacl /outputlog=c:\output.txt /errorlog=c:\error.txt /subdirectories Z:* /migratedomain=domainA=DomainB=MAPFILE.TXT
where mapfile has a a mapping of between groups of DomainA and DomainB, Z is mapped drive to netapp cifs volume
but it errored out with following
Last Syntax Error:WARNING : /migratedomain=DomainA=DomainB=mapfile.txt : Invalid option : Z:\*Hi,
Do you run the command from an elevated command prompt? Verify you have proper permission for the mapped drive. Please use the following version of SubInACL.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510
For domain migration:
SubinAcl /noverbose /subdirectories x:\*.* /changedomain=DomainA=DomainB
For server migration:
SubinAcl /subdirectories \\Destserver\Share\*.* /migratedomain=SourceServer=DestServer
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Export list of users and passwords for migration to new domain
Hello,
i am in the planning phases of moving a SBS2008 domain to Windows Server 2012 AD domain. i have looked into ADMT but it refuses to install on SBS2008 (error: not a valid win32 application). is there another avenue i can look into that will help
me export all SBS domain users and their passwords, and import them into my 2012 domain?
cheers,
Jonathan HorneHi,
Regarding your request, if you want to migrate SBS 2008 to Windows Server 2012 Standard, please refer to the following article.
Transition from Small Business Server to Standard Windows Server
http://blogs.technet.com/b/infratalks/archive/2012/09/07/transition-from-small-business-server-to-standard-windows-server.aspx
As it mentioned, you could first join the Windows Server 2012 Standard server to the current SBS domain and promote it as an additional DC, then it will have the user objects on it.
Hope it helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
We currently have a single Windows 2008 R2 Active Directory domain controller, and an Exchange 2010 server. We are in the process of adding a child domain on a second Active Directory server for an offsite office location for a subdivision of our company.
The two locations will be connected via VPN.
Currently users exist on the root domain with Exchange accounts who will be moving to the new offsite company/location. We would like to be able to move these user accounts to the child domain while maintaining their existing Exchange mailboxes and
email addresses. Is this possible, and if so how would we do it?Hi Srinivasa,
According to your description, I think you have done all the preparation.
For DL migration, the following article may give your some hints:
How to Migrate Distribution Groups Across a Forest
Good Luck!
Niko Cheng
TechNet Community Support -
Migration; Exchange 2003 SP2 to Exchange 2013 on new Domain and DC
I wasn't prepared for this task, and it was thrown at me to do... Eyes are bleeding from planning reading and planning, would LOVE any input from you guys. First time posting, here and have heard great things about these forums. The Company
I work for obtained a new client and a network that is in a cluster at the moment, so I'm having to dig through everything and restructure..
Scenario:
Old Domain/Server: (To be decommissioned)
Server 2003 Standard SP2 (Domain: cosco.com; NETBIOS name: coscoex)
Exchange 2003 SP2 (6.5.7638.1)
Server is a domain controller and exchange server.
Migrating to:
Server 2012 R2 Datacenter (New Domain ad.cosco.com; NETBIOS name: cosco)
VM #1: Server 2012 R2 Domain Controller at 2012 R2 Functionality
VM #2: Server 2012 R2 with Exchange 2013 Standard (Not Yet Installed) Joined to ad.cosco.com domain
VM #3: Server 2012 R2 with Exchange 2010 (Not Yet Installed) joined to ad.cosco.com domain
These are probably not ideal conditions, but I have to work with what I'm given.
Host server (2012 R2) is in work group mode. Hyper V Installed with a VM of Server 2012 R2 and as a DC at a functionality level of Server 2012 R2. I had intended starting at a lower functionality level and raising
it later, but.... ya I forgot to change it. If needed I can spool up a new DC with a lower functional level.
DNS, AD and group policy is all jacked up on the 2003 DC so that doesn't matter, All user accounts are going to be created under the new domain. The concern is migrating the mailboxes from Exchange 2003 on the old domain to
Exchange 2013 on the new domain. The client is going to provide CSV of the AD accounts that are still valid (a lot of accounts are no longer used or are from people that no longer with the organization.)
I had some ideas, but I'm not sure if they will work. This is something I have never done before (Senior Engineer Quit).
My thoughts:
- Establish a two way trust relationship between the two domains.
- Create two VM's, one with Exchange 2010 and one with Exchange 2013 (They have a 2010 licence that was not used).
- Create the users on the new domain
- Use the double hop method from Exchange 2003 > Exchange 2010 > Exchange 2013
- Link Exchange accounts to the correct user accounts on the new DC.
Can this be done cleanly? Am I going about this the correct way? Any feedback would be GREATLY appreciated.
Note: We are forced to use ad.cosco.com (Obviously not the actual domain name)Hi,
Base on my experience, your idea is feasible.
However, before getting started, you should note that Exchange 2010 (with any service pack or update rollups) is not (yet) supported to install on Windows 2012 R2. More details refer to the following link:
http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx
After all the preparations complete, you can refer to the following articles to migration exchange 2003 to 2010, then to 2013:
Exchange 2003 to 2010 Cross-Forest Migration Step by Step Guide
Exchange 2010/2007 to 2013 Migration and Co-existence Guide
Best regards,
Niko Cheng
TechNet Community Support -
Cannot add users to new domains anymore
I got messaging server and delegated admin to work just fine recently until I tried getting LDAP authentication to work so LDAP users could log into Sunrays.
I used idsconfig and saw that it added a bunch of stuff to the directory so I deleted that stuff after I realized I couldn't add users to a new domain anymore. It just says "cannot create user - unknown error". I can still add users to old domains just fine.
And I tried both DA and commadmin, neither work. Heres my Messaging server and DA version:
Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
SunOS testy.i-n-control.com 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire-V440
Delegated Administrator 6.3-0.09
I turned on debugging for DA and heres the output:
TRACE [Wed Aug 02 10:10:47 MDT 2006] Default people container = ou=People,o=domain,dc=mail,dc=example,dc=com
TRACE [Wed Aug 02 10:10:47 MDT 2006] ServerPushThread: setting stop flag
TRACE [Wed Aug 02 10:10:47 MDT 2006] commTaskManager: progress thread stopped
TRACE [Wed Aug 02 10:10:47 MDT 2006] com.iplanet.am.sdk.AMException: Unable to create entry.
at com.iplanet.am.sdk.ldap.DirectoryManager.processInternalException(DirectoryManager.java:433)
at com.iplanet.am.sdk.ldap.DirectoryManager.createUser(DirectoryManager.java:1046)
at com.iplanet.am.sdk.ldap.DirectoryManager.createEntry(DirectoryManager.java:1525)
at com.iplanet.am.sdk.AMDirectoryManager.createEntry(AMDirectoryManager.java:651)
at com.iplanet.am.sdk.AMCacheManager.createEntry(AMCacheManager.java:337)
at com.iplanet.am.sdk.AMObjectImpl.create(AMObjectImpl.java:1009)
at com.iplanet.am.sdk.AMPeopleContainerImpl.createUser(AMPeopleContainerImpl.java:285)
at sun.comm.cli.server.servlet.CreateUser.create(CreateUser.java:677)
at sun.comm.cli.server.servlet.CreateUser.doTask(CreateUser.java:91)
at sun.comm.cli.server.servlet.commTaskManager.execute(commTaskManager.java:196)
at sun.comm.cli.server.servlet.commServlet.doPost(commServlet.java:90)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
at org.apache.catalina.core.StandardWrapperValve.invokeServletService(StandardWrapperValve.java:771)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:322)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
TRACE [Wed Aug 02 10:10:47 MDT 2006] After AM Exception , msg being sent is Unable to create entry.^324^NONE
TRACE [Wed Aug 02 10:10:47 MDT 2006] in CLIPageData constructor:status = 1
TRACE [Wed Aug 02 10:10:47 MDT 2006] commTaskManager - execute => generateOutput
TRACE [Wed Aug 02 10:10:47 MDT 2006] In CLIPageGenerator ....
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : cliData.status = 1
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : CLIPageData.OK = 0
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : CLIPageData.FAIL = 1
TRACE [Wed Aug 02 10:10:47 MDT 2006] Failed: Unable to create entry.^324^NONE
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - Printing successfull results
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - status => FAIL
TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - message => Unable to create entry.^324^NONE
TRACE [Wed Aug 02 10:10:48 MDT 2006] ServerPushThread: done
TRACE [Wed Aug 02 10:10:48 MDT 2006] ServerPushThread: done
TRACE [Wed Aug 02 10:10:49 MDT 2006] ServerPushThread: done
TRACE [Wed Aug 02 10:10:58 MDT 2006] sun.comm.cli.server.servlet.commLDAPAuth: shutting down. Total access count = 1
Message was edited by:
nate.wheelerFrankly, I'm new to LDAP so I don't know really what
changed.No time like the present to start learning.
Its weird, I can do some things, but not
others. Like I can assign service packages, but not
change the login id or password of a user. So it
doesn't look like amadmin can't change things.LDAP provides "ACI", or Access Control settings that can be changed, and create exactly the kinds of things you're looking at.
The Directory Console can view ACI
>
The password encryption seemed to have changed from
{SSHA} to {CRYPT}. Although I have no idea how to
switch it back or where to look to see if it did.Unlikely to have made any difference. That should be transparent to the application using DS.
Most of our applications don't compare the password entry, but attempt a BIND for that very reason.
Again, I'd be looking at your LDAP access logs for a clue to what's happening.
>
Message was edited by:
nate.wheeler -
Cant Select Users on New Domain
I recently added a new domain to the network . I wanted to map the users from the new Domain to have them access my SharePoint 2013 Server . I mapped the new domain successfully using the user profile service . Profiles seems to have been imported
without any errors however when I go to my SharePoint 2013 site i'm unable to select any users from the new domain . Only users from the old domain are coming up. I went as far as to delete the old user profile service and create a brand new one pointed to
the new domain . Still so luck. I restated and reset IIS . I waited a day to see if there was some sort of time delay with the update but still no luck . My SharePoint Server is on the old domain . What am I doing wrong ?
My Setup : SharePoint 2013 Enterprise
Domain Controller : Windows 2012 Server .
IT ConsultantWhat form of Domain Trust is between the two domains? SharePoint must also have port access to the new Domain Controller(s) host the new domain.
SharePoint picks people from the Domain Controller directly. The UPA is only used to append information after the user has been found in Active Directory.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Migration of SCCM 2012 SP1 to SCCM 2012 R2 in a new domain.
I am wondering if it is possible to migrate objects from a SCCM 2012 SP1 server in one domain to a new SCCM 2012 R2 server in another domain ?
I read this article, but it does not state this particular combination.
http://technet.microsoft.com/en-us/library/gg682006.aspx
Thx
ThomasFor Migrate from SCCM 2012 SP1 to SCCM 2012 R2 in same environment/Domain, it's support and applicable.
But migrate to new domain, it's not support. Also you can't migrate database for new domain or object. you will need to rebuild it.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali -
Hello,
Our enterprise has been acquired by another one, now we are migrating everything from our currently domain to the new one. At this point there is a trust between the two domains. Our main application are web applications using sharepoint,
dotnetnuke, tfs using integrated authentication with our currently domain. We are facing a situation that I appreciate some tips. We need to migrate all our currently domain users to the new domain, the login users will be change, but we need to do some kind
of match from the current user to the new user on sharepoint tfs, dotnetnuke to keep all historic.
How can we do this kind of match?I think that is exactly what we need.
I will now investigate further.
Thanks a lot -
We have migrated machines using ADMT tool but we have found some window 7 machines Group policy issues. We see that the computer GP is getting from the new domain but the users profile still has the old domain GP information. Any help on
removing the old GP objects and forcing the new domain User policy would be great. We have tried the basic troubleshooting gpupdate /force reboot etc.
ThanksHi,
Sorry for the delayed response.
First, please verify whether these domain users you mentioned belong to old domain or new domain.
If they belong to old domain the GP is right with no problem. If they belong to new, try following suggestions.
Please test these steps in one of the problematic computer. If it worked, then go on for others.
To avoid unexpected problems, please backup your register keys before following steps:
Open regedit.exe, and delete following keys:
HKLM\Software\Policies\Microsoft Key (looks like a folder).
HKCU\Software\Policies\Microsoft Key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects Key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies key
Exit the registry and restart.
Note: HKLM = HKEY_LOCAL_MACHINE & HKCU = HKEY_CURRENT_USER
If you have any feedback on our support, please click
here
Keep post.
Kate Li
TechNet Community Support -
Migrating Lync 2013 to new domain
I have a customer who wants to migrate their Lync servers to a new domain. Is this possible with the existing servers or do I need to backup the config, deploy new Lync servers in that domain and restore the config? Thanks in advance.
New SIP domain or a new Active Directory Domain? You can easily add new SIP domains to the environment. You cannot move a Lync Server from one AD domain to another. You would need to migrate users in a cross forest scenario or backup contacts
and restore.
Thanks,
Richard
Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com
Maybe you are looking for
-
HP B9180 Photosmart Pro Printer - Specialty Media Tray Not Working
HP B9180 PHOTOSMART PRO PRINTER SPECIALTY MEDIA TRAY PROBLEM I’ve had my HP B9180 Photosmart Pro Printer for about 2-1/2 years. My computer operating system is Windows XP (with up-to-date service packs) on a Dell XPS PC. The printer is connected dire
-
[CS2 AS] Export as Jpeg... image missing in the output.
Hi, I'm using alot the export as jpeg feature as a validation helper while doing batch processing (for quality output, i have used export as pdf and rasterisation in photoshop... require more processing, but it give more reliable output). So with the
-
html:checkbox driving me crazy
Hey frnds Can u plz provide me some code for managing a group of checkboxes in struts. I m using DynActionForms
-
Hi, Does anyone have a guide or some steps into how to clean the dust from the fan in my laptop. Don't want to just dive striaght in as I know everything inside a laptop is very compact and I will more than likely cause more problems. Basically my fa
-
New Motherboard Is It Ok to Use?
Hi everyone, I'm not sure where the best place to find out if my motherboard will be supported under Linux so though maybe someone here could point me to the right direction or might know. I have a ASUS M4A78LT-M-LE which according to the specs is ru