2003 Domain Move 1

[wardog25]

We have two 2003 AD domains, I'll call them Domain1 and Domain2.

Domain1 has been around forever and it is a mess. Group structure, permissions, group policy, AD, etc. all need to be re-worked. It is in mixed mode. Rather than continually upgrading and bandaging this old beast, we decided to create a new domain, Domain2, to replace it. Domain2 is up and running with its own DCs, but with very little on it at the moment. It is in native mode. The idea is to eventually be only on Domain2 and we would take Domain1 down, once everything is off of it.

The two domains trust each other, but obviously when moving users and servers to another domain, you have to make sure everyone can see what they need to work, because none of this can go down for very long and you can only move one thing at a time.

We have a disagreement in our IT department as to how the move should take place, so I'm looking for some advice.

Some people think we should move the servers (we have about 80 Windows servers) to Domain2 first, then follow that by the users.

Others think we should move the users (we have about 500 of them) to Domain2 first, then move the servers once the users are all done.

Can someone help us with pros and cons of each plan? Will one way have a lot less issues than the other or go more smoothly?

Thanks.

 

[markdmac]

Use ADMT and move them ALL in one evening.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wardog25]

We do not have a very large team. We don't really think we have the staff to put out fires for 500 users and 80 servers on the same day. That is why we were planning to do them separately, and most likely do the users department by department.

 

[markdmac]

You will have more fires if you do it manually. ADMT will eliminate a lot of issues because you will preserve SID history and users will be able to keep their existing desktops. Furthermore ADMT can even let the users retain their passwords (provided they meet the complexity requirements on the new domain).

I've had to do many of these kind of migrations and this solution has always proven to be the best.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[58sniper]

I'm with Mark. Use ADMT or lose your sanity.

Pat Richard
Microsoft Exchange MVP

 

[wardog25]

So if we did everything at once, ADMT will preserve the groups and permissions and everything, just transferring them to the new domain? All users will have the same rights to everything they had before?

 

[58sniper]

Your best bet is to read the whitepaper. You'll need to setup some permissions and groups ahead of time. But you can typically do a full move with little to no impact on the users.

Pat Richard
Microsoft Exchange MVP

 

[markdmac]

For the most part, yes. When you use ADMT it will migrate the user IDs and groups over for you. Preserving group membership etc.

Doing it this way you can have a single person get the job done which will work best in your small team environment. As Pat has suggested, read the white paper and I would add you should do a search on support.microsoft.com for ADMT for some step by step guides to configuring for preserving passwords.

You can create a test ID and use a test PC to have a practice run and test things out before you really move the bulk of your users & computers.

Since you are not a one man shop, devote one person to really learning ADMT, have them run that project while others handle the current day to day stuff and you will bypass a lot of problems down the road.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[wardog25]

thanks for the info

 

[forbsy]

Some good stuff. What about if Domain 1 housed an Exchange 2003 server. Will ADMT ensure that the Exchange server will function the same in the new domain? The mail domain would be remaining the same.

 

[markdmac]

Exchange doesn't support changing Domain membership by disjoin/join Domain or ADMT processes. You need to deploy new Exchange to target Domain. You can then use the "Exchange Migration Wizard" to move mailboxes to the new Exchange server.

If you don't have a lot of hardware you can use a virtual server running Exchange in the new domain. Move the mailboxes and then set the old Exchange server back up in the new domain. Then use the MoveMailbox wizard to move the mailboxes off of the Virtual Server and onto the real server.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[forbsy]

Thanks. I don't want to change the Exchange mail domain nsme. If I have to install a new installation of Exchange in new domain, can I still call the new installation of Exchange the same mail domain as the first?

 

[58sniper]

The Active Directory domain name has nothing to do with the SMTP domains that Exchange can handle. They are completely separate.

Pat Richard
Microsoft Exchange MVP

 

[forbsy]

Right. That wasn't what I was asking. The situation is as follows:

Source AD Domain: domain1.com
Source Exchange Domain: exchange.com

Target AD Domain: domain2.com
Target Exchange Domain: exchange.com

So, I'd be migrating users, groups, computers from source domain to target domain. If I have to install a fresh installation of Exchange into Target Domain and move the mailboxes over (as markdmac suggests) can I keep the same name for the Exchange domain? Does the Exchange Migration tool allow that?

 

[58sniper]

As mentioned earlier, it doesn't really matter what the SMTP domain is set to. Yes, you can keep the same domain in Exchange. It's configured as part of the recipient policy, and can contain what ever domain name (or names) you want.

Pat Richard
Microsoft Exchange MVP

 

[forbsy]

Well, you had mentioned that the AD domain name had nothing to do with the SMTP domain name (thanks, but I was aware of that). I wasn't asking about that. I do know how Exchange and RUS policies operate, but appreciate your comment on me being able to run Exchange migration tool with an identically named source and target SMTP domain name. I'll spin up some vm's and test out this weekend.

Thanks

 

[Knackster]

forbsy,

Keep us posted on this as I am curently in the very same boat. Win2k and Ex2k migrating to a new domain name and win2k3 and ex2k7.

Our current domain is mixed mode and has been upgraded since NT3.51 and is a total wreck.

I've got the new hardware for the new DC, terminal server, and exchange server. So making the trust then moving the users and servers over needs to be painless. Unfortunately I can't upgrade all of my servers to win2k3 yet because Im running oracle 8i and have to wait for some propriotary software to be upgraded before the db can be upgraded.



Chris
IT Manager
Houston, Texas

 

[GrimR]

would The Exchange Domain Rename Fixup tool work on a ex2k7?.