Announcement

Collapse
No announcement yet.

Move to new domain structure (was: new Active Directory plz help)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Move to new domain structure (was: new Active Directory plz help)

    hello everyone
    hope that u can help me on this
    i have an old Active Directory (2003) its running fine but not that much good in user and groups arranging
    so we decied to make a new Active Directory n a new Domain with a new Domain Controller ofcourse
    so what is the best way to do this without effecting on users and thier profiles, shared folders and permissions .
    i am thinking 2 make a new domain with a new name ofcourse and install a new active directory n a fresh win2003 then start adding the users with a new groups and ous arranging .
    then make trust relation between two domains (new one and old one)
    after that i will ask users 2 login with same user name and put thier same old passwords cuz i think this is help on sharing system they can reach them without any change even its a new domain but with same user name and passwords
    but i still warry about user profile and other issues
    sorry for my long story and bad english hope 2 finde any help from u people
    thanx n advance

  • #2
    Re: new Active Directory plz help

    the only way that you would be able to do that and retain the user rights and profiles etc , is by Migration the Users/Groups/Workstations/Servers/etc to the new domain.
    by just creating the same user name and password and groups on the new domain would not give those users access to the old Domain resources even if a trust is in place, Names have no role in determining Access to resources.
    Consider using ADMT for this task.

    Comment


    • #3
      Re: new Active Directory plz help

      Akila thanx 4 ur quick reply
      but dont u think that if i use ADMT here it will move the old mess to the new home ??
      cuz my old active directory is really messy
      and f i go with fresh domain and fresh active directory should i add all users again and new groups with all things ??
      by the way i already tried now with Virtual PC making a new Domain and new active directory then i creat my account in the new domain with same user name and password and loging to the new domain with still able to access my shares and denied permission for non mine
      so i get confuse now about this point '' can they get there shares folders f they get the same user name and passwords even new domain ?? "
      thanx again akila
      forget to tell u akila that i did the new domain without trust relation to the old one and i still able to go with my shares
      Last edited by Snipero; 17th August 2008, 14:53. Reason: adding more information

      Comment


      • #4
        Re: new Active Directory plz help

        that is most likely b/c you have on your share "Everyone".
        you may create new users , but then you have to take in consideration creating the permissions on all your resources to your new Users/Groups, as Shares/NTFS/Service accounts/SQL/IIS/Exchange/Public Folders/etc. and the most aching would be Users Workstation Profiles or at your case Roaming profiles.
        by migrating the users and groups you can just Migrate what you want filtering out all the mess.

        Comment


        • #5
          Re: new Active Directory plz help

          Akila i tried now with a new user
          add it on the old active directory and then add it on the new active directory with the same name and password and try to get access to my shares but access denied when i logged with my username its access even i logged n a new domain how u think this come ??? and i make sure the permission its only for me not ''everyone''

          Comment


          • #6
            Re: new Active Directory plz help

            I don't understand what do you mean I added the user to the old domain.....? is that an existing User on the old domain that you just added it to the new one or it is a totally a new user all together?
            any way there would be problems as I mentioned b4, creating a new User means new Security Identifier otherwise known as SID, permissions are based on SID , not on names.

            Comment


            • #7
              Re: new Active Directory plz help

              hello again akila
              its an existing User on the old domain that I just added it to the new one. and i still reach and access this user permissions and shares as the same
              can u explain more about SID plz and really thank u so much u really help me appreciate that
              thanx akila

              Comment


              • #8
                Re: new Active Directory plz help

                Title changed.
                :sigh:
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: new Active Directory plz help

                  Originally posted by Snipero View Post
                  hello again akila
                  its an existing User on the old domain that I just added it to the new one. and i still reach and access this user permissions and shares as the same
                  can u explain more about SID plz and really thank u so much u really help me appreciate that
                  thanx akila
                  when you create a security object in the AD (e.g. User/Group/Workstation, everything that you assign permissions to), that object has a a Uniq number in away like a Social Security number or an I.D Number, that number can not be duplicated (and it shouldn't) and no other object in the AD would have the same Number.
                  that Number is known as "SID"
                  When you give permissions to a User/Group,etc , you are actually giving the Permissions to the SID that represent the object and not to the Object name it self, think about it a bit , if you were to give permissions to the User name and not the SID and then you would one day rename the User name, you would lose all permissions you ever gave that user.
                  By giving the permissions to the SID you are not depended by a User rename or location in the Domain.
                  When you create the same User but in a different Domain ,even though the user has the same name, but that user has a different SID, hence it could not access resources that were based on the user from the 1st domain b/c it has different SID.
                  when you Migrate a User/Group,whatever with Migration tools, they make sure to add the SID of the original User to the new User on the other domain making sure you would retain permissions to the resources of either domains.
                  Last edited by Akila; 20th August 2008, 11:09.

                  Comment

                  Working...
                  X