Announcement

Collapse
No announcement yet.

Need Help on moving users from one DC to another.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need Help on moving users from one DC to another.

    Hi,

    I'm new to AD and this is my first task. Please help.

    Senario is like this:

    There is an application which is going thro' an upgrade process. Once this application is upgraded, they want only the users accessing this application to be on the new AD and not the existing AD. Could you please let me know how to go about this.

    Let me know if my understanding is right.

    1. Promote the new server (supposedly this will be same as the existing one, probably MS Server2000) as DC within the same domain.
    2. Once the replication is done, create a new user group and move all the required users into this.

    A. I would like to know if this will work?
    B. What will the difference be?
    c. Will they still have the same passwords, access to services etc?

    The more I think about the requirement, the more confusing it gets. Please help.

    Thanks in advance.

    Regards,
    Sandeep

  • #2
    Re: Need Help on moving users from one DC to another.

    User accounts in a domain aren't like Exchange mailboxes - they don't 'live' on one server or another. All domain user accounts exist on all domain controllers. Once you add the new DC to the domain, after replication takes place that DC will have a copy of the domain and all user accounts within it.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Need Help on moving users from one DC to another.

      Thanks Gareth. Thats exactly what I thought...

      Is there a way where I can have this upgraded Application access the new AD instead of the old AD? If so, how do I go about it and how can move ONLY the relevant user group from the old AD to the new AD? Does this mean, I have to create a the new AD with a new domain?

      I have another question: How is a domain in AD different from the domains in networking?

      Regards,
      Sandeep

      Comment


      • #4
        Re: Need Help on moving users from one DC to another.

        I'm not sure I follow you. In your first post, you say you're going to create a new AD with the new server, but then you also say that you're going to add it as a second DC in the existing domain.

        Could you clarify what exactly you're trying to do?

        The terms 'AD' (Active Directory) and 'domain' are largely interchangable, however there are other uses for the term 'domain' too.

        A new AD is a new domain.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Need Help on moving users from one DC to another.

          It depends whether is is a security risk if others use the application who shouldn't. If that is a concern, then the best way is to create a new forest that will create a root domain. It is then isolated from the old domain.

          However, should users be using the same computer with some using the application and others not, that wouldn't be feasible.

          If the application is AD based or uses AD LDS, you may want to create a separate forest to ensure there is less risk of the schema and AD structure becoming unstable, when the AD attributes required are added.

          Should you wish to enforce a different password policy, maybe a more secure one for users of the application, then you perhaps would need to create a sub-domain for the application.

          If you only allow certain IT staff control of the application, you may need to create a separate forest or create another domain tree.

          Comment


          • #6
            Re: Need Help on moving users from one DC to another.

            @Gareth: sorry for confusing, new to the AD terminologies..
            @Virtual: Thanks.

            Say, during the AD installation if I choose "Additional Domain Controller for the existing domain" (This is the second option in the first screen during the AD installation I guess) and in the next screen I select "Create a child domain in an existing domain tree". Continue the installation in this sequence, will the objects in the root domain get replicated into the new child domain? If the objects do not get replicated into the child domain, how can I move only the users of a certain group (I guess its called OU) with all its related attributes (login details, policies, etc) into the new child domain so that now I can direct this upgraded application to talk to this new child domain only?

            I hope I have framed the question right...

            Thanks so much, am now able to get a better understanding of AD

            Regards,
            Sandeep

            Comment


            • #7
              Re: Need Help on moving users from one DC to another.

              You can use ADMT tool.

              http://www.microsoft.com/downloads/d...displaylang=en

              That will allow you to move Groups and User objects across. You can then create new policies on that domain or I believe export them from the old domain and then import them in to the new domain.

              http://technet.microsoft.com/en-us/l.../cc785343.aspx

              The issue with another sub-domain will be the increased administration that I didn't mention before.

              An OU (organisation Unit) is a container for objects and useful when setting policies. You tend to either put User Accounts or Computer accounts in there own container, maybe also separating by department or location, what ever way you want.

              To OUs, you tend to apply the relevant computer and user lockdown policies.

              Users and computers can be added to groups. When the users are added to a group, the group may be in its own OU, separate to the users. The users may be in different OUs. Groups are usually used to grant permisisons to users who have the same job roles or require access to the same resources.

              When you move a group to the other domain, you must make sure you move the associated user accounts at the same time, if possible. Moving a group will not move the user accounts.
              Last edited by Virtual; 20th February 2009, 22:53.

              Comment


              • #8
                Re: Need Help on moving users from one DC to another.

                @Virtual: Thanks so much. I guess ADMT will be the best way to go forward. I'll get back if I have any related queries.

                Comment


                • #9
                  Re: Need Help on moving users from one DC to another.

                  Hi,

                  I'm deciding if we have to use ADMT or could we just export and import the data. I would require your help to get some queries clarified.

                  1. Can I export all the groups from one AD which is in production environment into an excel sheet?
                  2. Export all the users in a similar way as above, with all the attributes (these attributes will be those which are present in tabs which appear while user creation, like General tab, profile tab, account tab, etc), could we do this?

                  Once the above two are exported, can I do some changes in the excel and upload/ import it into another AD which is in testbed with a different forest and different domain?
                  Will this cause any problem? Am not interested in passwords and policies (there seems to be no policies created).

                  What if there is a container with NIS groups? Could I use the same method as above to export and import?

                  What sort of scripting will be required? And does these need any installation on the AD server? (As there are stringent policies regarding any installation onto the production AD server, need to use something that would already be there on the AD server by default)

                  Appreciate your help.

                  Regards,
                  Sandeep

                  Comment


                  • #10
                    Re: Need Help on moving users from one DC to another.

                    Originally posted by sandeep_ydas View Post
                    Hi,

                    I'm deciding if we have to use ADMT or could we just export and import the data. I would require your help to get some queries clarified.

                    1. Can I export all the groups from one AD which is in production environment into an excel sheet?
                    You can possibly use CSVDE or some other tools may be of use.

                    http://www.computerperformance.co.uk...VDE_LDIFDE.htm


                    2. Export all the users in a similar way as above, with all the attributes (these attributes will be those which are present in tabs which appear while user creation, like General tab, profile tab, account tab, etc), could we do this?
                    Once the AD data is exported to the CSV file, this can be edited as appropriate.

                    http://technet.microsoft.com/en-us/l.../cc732101.aspx


                    Once the above two are exported, can I do some changes in the excel and upload/ import it into another AD which is in testbed with a different forest and different domain?
                    I believe so, though I have only used ADMT before and found it effective enough.


                    Will this cause any problem?
                    More potential to do so. Using ADMT allows you to roll back changes as you migrate. so will minimise risk. CSVDE is also more complex. There is also more chance of human error updating the CSV file before re-importing.


                    What if there is a container with NIS groups? Could I use the same method as above to export and import?
                    Not entirely sure of that feasability. It is still an AD object so may be possible.


                    What sort of scripting will be required?
                    Depends on whether you want to import objects from your CSV or use a script to create objects and use the excel sheet to decide the objects that need to be created. That will allow you to then plan your new structure with regards to OUs, Groups etc etc.

                    This is useful to create scripts.

                    http://www.microsoft.com/technet/scr...s/admatic.mspx


                    And does these need any installation on the AD server? (As there are stringent policies regarding any installation onto the production AD server, need to use something that would already be there on the AD server by default)
                    Policies will already exist as default. How you lock a server down will depend on its roles. Once you have installed a server, you can use the following.

                    MBSA - to have a check if there are any obvious security vulnerabilities.

                    http://technet.microsoft.com/en-us/s.../cc184924.aspx

                    This is a good guide regarding Group Policies that can be downloaded and implemented for w2k3 servers, XP and Vista Clients.

                    http://www.microsoft.com/downloads/d...displaylang=en

                    What AD domains are we talking about by the way?

                    Comment


                    • #11
                      Re: Need Help on moving users from one DC to another.

                      Thanks!

                      About the stringent policies, I meant the company rules regarding the installation of any tool on the AD server, like CSVDE installation to extract and upload. Is there anything that would be a default on AD for export and import?

                      Originally posted by Virtual View Post
                      What AD domains are we talking about by the way?
                      Sorry, I wasnt able to understand this question. This AD is not the same as the enterprise AD, its a new domain with new forest for Citrix applications.

                      Regards,
                      Sandeep

                      Comment


                      • #12
                        Re: Need Help on moving users from one DC to another.

                        Nothing default that I am aware of. The CSVDE tool doesn't need to be installed and can be run from the location of the program in the command prompt.

                        Comment


                        • #13
                          Re: Need Help on moving users from one DC to another.

                          I just found that LDIFDE utility exists on the AD server. I exported all the users without using any filter and got all the details I was looking for.
                          I'm in a dilemma now!

                          I get the following fields

                          whenCreated:
                          whenChanged:
                          uSNCreated:
                          objectGUID:: (with a weired set of characters)
                          userAccountControl:
                          primaryGroupID:
                          etc....

                          I do not know what can be imported and what cannot.
                          I'm guessing that password cannot me imported, which is fine.

                          Could anyone please let me know what are the important fields I need and will there be any consequences if I include ObjectGUID, PrimaryGroupID, etc related to the user?

                          What will happen if I upload the same data removing the SID (as i'm guessing this is encrypted and cannot be used in the new system which is the testbed AD)?
                          How can I make sure if the SID is being used in the current environment?

                          As far as I know, AD is being used only for Authentication. Users access applications which are published on Citrix and Citrix uses AD for authentication. So, could I go ahead with the normal export and import with LDIFDE?

                          Kindly advice.

                          Thanks and regards,
                          Sandeep

                          Comment


                          • #14
                            Re: Need Help on moving users from one DC to another.

                            No response?? Anyone, any advice please?.....

                            Cheers!
                            Sandeep

                            Comment


                            • #15
                              Re: Need Help on moving users from one DC to another.

                              Originally posted by sandeep_ydas View Post
                              No response?? Anyone, any advice please?.....

                              Cheers!
                              Sandeep
                              This may help.

                              http://support.microsoft.com/kb/555634

                              Comment

                              Working...
                              X