Merging 2000 & 2003 Forests

[acl03]

I posted this in the 2003 forum, but i thought it might be more appropriate here.

We have a 2003 mode domain/forest.

Central IT has a 2000 Mixed domain/forest.

Central IT is requiring that we move into a single domain (theirs). They cannot upgrade to 2003 mode, they need to stay in 2003 mixed because of NT Domain controllers.

My question - how can we move our users into their domain most seamlessly (without touching each user's pc, creating a new profile on their machine, etc).

Ideally, I'd like for one day, they just login to their domain, and instead of seeing oldDomain in the login screen, they see newDomain, and their old password and profile would still be used.

Any recommendations?



Thanks,
Andrew



Thanks,
Andrew

 

[StoneEdge]

Hi

Have you tried to use Microsoft ADMT to move users between forests and domains?

 

[markdmac]

Exactly what I recommended in the 2003 forum.

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

I tried but it confused me

Do I have to set up a trust first or anything?



Thanks,
Andrew

 

[StoneEdge]

Hi

If is different forests, ad/or domains, yes you must.

Then just choose the source move/copy what you want


StoneEdge
NetVitorianos Technologies Administrator

 

[markdmac]

There is extensive documentation for ADMT on support.microsoft.com. That is the place for you to start.

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Everything I'm reading shows migration from an NT domain to a 2000 domain.

What about going from a 2003 domain to a 2000 Mixed domain?



Thanks,
Andrew

 

[markdmac]

It is all the same. You will want to look at the steps documented for migrating users from 2000 to 2003. It can work both ways.

http://www.petri.co.il/active_directory_migration_tool_usage_w2k_windows_2003.htm

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Cool thanks.

I got a bit farther, but it is saying "The target domain is not in native mode." when i try to migrate users.

The target is in 2000 mixed mode...do i have to be in native mode to migrate using ADMT?



Thanks,
Andrew

 

[StoneEdge]

Hi again

Yes.

Migrations betweens different domains(and different SO) must be in native mode.


StoneEdge
NetVitorianos Technologies Administrator

 

[acl03]

Well that's not good news for us, as central IT has a mixed mode domain and can't raise the functional level due to some old systems.



Thanks,
Andrew

 

[markdmac]

Sounds like you are stuck.

You could try one thing. Setup a new DC on the 2000 domain. Make it a GC. Could be just workstation hardware. After it replicates all user objects, physically remove it from the network. Attach it to a switch so it sees a network connection, but don't have that switch go anywhere else.

Seize the FSMO roles. Then raise the level. Use this machine to migrate the user accounts.

It won't help you for the computer accounts but it gets you half way there.

When you are ready you can use NETDOM to move the computers over remotely from the one domain to the other. I have a script that does that if you want it.

Down side of going this route is that user profiles will not be moved over like they would if using ADMT.

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Hmm...interesting idea. But after we raise the functional level of the 2000 domain to native, how do we connect that DC back to the non-native domain?

We may be able to convince them to go to 2003 mode for the domain we migrate into, and create a separate 2000 mixed domain for their legacy stuff.

I would assume merging two 2003 mode domains is a lot easier?




Thanks,
Andrew

 

[acl03]

One other question - i was testing out migrating users from a 2003 domain to a 2000 native domain. I am assuming if i want the users' old profiles to still be active, i'd have to migrate SID's right?

I followed the direcetions on that site you sent me (Mark) and modified the registry and created the $$$ group.

THe problem is that the user doing the migration from the source to the destination has to be an admin on both domains.

When i go to the administrators group on the destination domain, i cannot add any members of the source domain (or vice versa). The "Look In" box where you pick which domain to look at is either grayed out, or does not display the domain other than the one i am currently attached to. How do I fix that?



Thanks,
Andrew

 

[markdmac]

Hmm...interesting idea. But after we raise the functional level of the 2000 domain to native, how do we connect that DC back to the non-native domain?

You wouldn't. The idea here is to just get a copy of your AD info so it can be migrated. This would be happening in Parallel to the real domain and would require that the upgraded 2000 domain and the trusted 2003 domain would not have connectivity to the production 2000 domain.

When i go to the administrators group on the destination domain, i cannot add any members of the source domain (or vice versa).

Did you enable trusts between both domains?



I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Mark - I did enable a full two-way trust between domains. They even validate successfully...



Thanks,
Andrew

 

[markdmac]

OK and did you try manually typing in domainname\username when trying to add a user from the other domain?

When I did a computer migration for one customer I found I had to add the new admin account as part of the local machine admin group. I did the first by hand for testing but then scripted it for the rest.

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Mark - I did try doing domain\username to add the user...



Thanks,
Andrew

 

[markdmac]

Looking back at this I would say you probably have a DNS issue. Try setting the secondary DNS for each domain to point to the trusted domains DC.

I hope you find this post helpful.

Regards,

Mark

 

[acl03]

Actually already tried that...



Thanks,
Andrew