Announcement

Collapse
No announcement yet.

AD domain rename through AD migration tips needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD domain rename through AD migration tips needed

    Hi,

    I've read the few threats about domain rename and migration that I could find in this forum, and found them useful and informative, but I'd be happy to get a few tips to my exact situation/environment.

    My company has changed its name, and thus wants to also change the internal domain name.

    My MS network:
    50 x WinXP SP2/SP3
    10 x Win2003 Standard R2
    2 x DC
    Exchange 2003 Standard SP2 running on the PDC (not my doing...).
    5 x MSSQL 2005


    I understood from several experts that domain rename is less safe than domain migration, and when Exchange is installed on a DC it's problematic. I was advised to do a domain migration instead.

    The adviced procedure chapter names are as follows:
    1. Installing a new domain with 1 x DC + 1 x Exchange server
    2. Establish mutual trust betweeen the domains
    3. Configure SID history
    4. Plan and create the OU structure in the new domain
    5. Install ADMT on the new domain's DC
    6. Identify and map Service accounts
    7. Migrate mailboxes (users still login into the old domain)
    8. Migrate (copy) accounts and group
    9. Migrate workstations and servers
    10. Cleanup (old domain can be turned off)


    I have several questions and I'd really appreciate any additional tip you can think of:
    1. My network is current configured to use a single Class C subnet (192.168.0.x). DHCP is offering IP is the range 192.168.0.110-190.
    Do I need to create the new domain in a separate IP subnet (i.e. 192.168.1.x), or can I install the new DC and Exchange with IPs in the same subnet (192.168.0.x)?
    2. Can I keep using the old domain's DHCP until I turn off the old DCs, or do I need to do something in regards to the DHCP during the migration process? (I assume that using the old domain's DHCP might create problems with updating the new domain's DNS...)
    3. Do you recommend creating a new forest (dcpromo -> "Domain in a new forest"), or a new domain in the existing forest (dcpromo -> "Domain tree in an existing forest")?
    4. Are there any other objects besides user accounts, groups (security and distribution) and computer accounts that need to be migrated?

    Thanks,
    Tom

  • #2
    Re: AD domain rename through AD migration tips needed

    Originally posted by eltoro200 View Post

    1. Installing a new domain with 1 x DC + 1 x Exchange server
    2. Establish mutual trust betweeen the domains
    3. Configure SID history
    4. Plan and create the OU structure in the new domain
    5. Install ADMT on the new domain's DC
    6. Identify and map Service accounts
    7. Migrate mailboxes (users still login into the old domain)
    8. Migrate (copy) accounts and group
    9. Migrate workstations and servers
    10. Cleanup (old domain can be turned off)

    1)2 DCs are preferred, but that could be sorted out after the Migration.
    2)correct, use the following procedure before you continue with the other steps.
    http://forums.petri.com/showthread.php?t=26101
    3)no such thing as configuring SID history, however you have an option migrating the old SID as well along with the User/Group,etc
    and placing it in the SID History field of the new created Object in the new domain (part of the ADMT Migration Wizard).
    4)correct
    5)Preferred installing the ADMT on a regular server in the Target/new Domain, but could also be installed on the DC if wanted.
    6)correct (using ADMT for Identifying and mapping Service accounts)
    7)Mailboxes are Migrated last !! not before the User migration.
    8 ) Migrate Service accounts 1st, Global groups 2nd, then Domain Local Groups, Then User accounts.
    9)Yep - and you could also then Migrate Mailboxes if you wish.
    10) Correct


    Originally posted by eltoro200 View Post
    1. My network is current configured to use a single Class C subnet (192.168.0.x). DHCP is offering IP is the range 192.168.0.110-190.
    Do I need to create the new domain in a separate IP subnet (i.e. 192.168.1.x), or can I install the new DC and Exchange with IPs in the same subnet (192.168.0.x)?
    For Static IPs It is not needed , but for the order and tidiness it is recommended.
    as for WS that get their IP from a DHCP , I think you should have a different Class/Scope.

    Originally posted by eltoro200 View Post
    2. Can I keep using the old domain's DHCP until I turn off the old DCs, or do I need to do something in regards to the DHCP during the migration process? (I assume that using the old domain's DHCP might create problems with updating the new domain's DNS...)
    Theoretically it does not matter who gives out IP addresses to the machine as long as it does the job, with MS DHCP I think there is an issue with it being authorized with the domain, but I have little experience with MS DHCP.

    Originally posted by eltoro200 View Post
    3. Do you recommend creating a new forest (dcpromo -> "Domain in a new forest"), or a new domain in the existing forest (dcpromo -> "Domain tree in an existing forest")?
    New Forest For sure , since you need a new name
    and there is no reason why keeping the old Forest.
    Besides there are advantages in Installing a New Forest/Domain then Upgrading/upgraded Domains,
    you could read more about it here:
    http://forums.petri.com/showthread.php?t=28189
    and you get the added value that Migration between forests actually copy the resources rather then move them,
    so you can always delete the Users/groups,etc and migrated them as many times as you like if you don't like the outcome without effecting
    the old domain data, hardly needing a roll back plan.
    If you migrate between domains in the same forest it is a "One way Charlie" (moving the objects) and it complicate things as far as rolling back.

    Originally posted by eltoro200 View Post
    4. Are there any other objects besides user accounts, groups (security and distribution) and computer accounts that need to be migrated?
    Not with ADMT, with other Tools there are spectial options for Migrating SharePoint Services, SMS, SQL,Biztalk,etc.
    But you are pretty much set with ADMT.

    Thanks,
    Tom[/quote]
    Last edited by Akila; 12th October 2008, 21:19.

    Comment


    • #3
      Re: AD domain rename through AD migration tips needed

      Akila, thanks a lot for the thorough reply! I assume you recommend to move the mailboxes last because that's the only object that has to be moved instead of copy, and that makes the rollback a little more complicated... Can you please elaborate a little on the situation with coping the computer and server accounts? I understand that when a computer account gets copied, that computer becomes a member of the new domain too, but what does it mean regarding the existing user profile? Would my users need to create a new profile, or could they use their existing profiles with all settings intact? Thanks again! Tom

      Comment


      • #4
        Re: AD domain rename through AD migration tips needed

        the reason why you actually move the mailbox last is not b/c it is a Move action rather then copy, it is b/c the mail box has to be attached to a user and if you did not migrate the user before hand, who would you move the mail box to? there is no user to attach the mail box to.

        now as far as computer Migration - I would refer to computer migration both for workstations and for servers since the process is the same.

        there are two things evolving in computer.
        1) migrating the computer object in the AD (the same like you have a user/group, you also have a computer object)
        2) performing what's called a security translation, which basically
        runs an agent on the computer which ADMT installs during migration (automatically).
        what that agent does is few things, but the main 2 things he does is:
        * changes the computer domain (very similar to what you do in the computer properties -> change from workgroup, etc)
        * replaces or adds (depends on what you chosen) the security (SID) on files and folders, profiles from the old user to the new created user in the new domain.

        Now, you could migrate a computer either in one go (object migration & security translation) or do it in two phases.
        if you decide doing it in two phases then the computer object migration is very similar to the user migration, which means it copies the computer Object rather then moves it.
        However the security translation is a Move process in a way.
        But since just migrating the computer object would yield you no good for testing (since you can't really test if the computer works good after migration without the security translation) so it doesn't really needed to dived the process into two, therefore you better off doing it in one go.
        as for your question, once you migrate a computer (everything including a security translation) then the user would not have to create a new profile and the existing profile would be translated to his new user account in the new domain.
        This is how it work, but I must tell you that it doesn't work on 100% of the computer and there are many reasons why it would fail, so prepare yourself that not every computer profile would move correctly, but the majority of profiles should work fine.
        for those computers that failed profile migration there are free tools in the Internet that you could copy the old profile into the new profile that was created.
        :GOOGLE: it I am sure you would find it
        Last edited by Akila; 17th October 2008, 11:14.

        Comment


        • #5
          Re: AD domain rename through AD migration tips needed

          Akila, thanks so much for both posts!
          Your explanations have made all my questions very clear.

          Comment


          • #6
            Re: AD domain rename through AD migration tips needed

            Originally posted by eltoro200 View Post
            Hi,

            I've read the few threats about domain rename
            That typo made me laugh as I imagined Jack Bauer screaming: WHO DO YOU WORK FOR? TELL ME BEFORE I RENAME YOUR DOMAIN! YOU KNOW IT WILL CRASH!
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

            Comment


            • #7
              Re: AD domain rename through AD migration tips needed

              Originally posted by gepeto View Post
              That typo made me laugh as I imagined Jack Bauer screaming: WHO DO YOU WORK FOR? TELL ME BEFORE I RENAME YOUR DOMAIN! YOU KNOW IT WILL CRASH!
              LOL I've just noticed that

              Comment

              Working...
              X