MSDSS, Services for Netware, and ADC 1

[PScottC]

I'm preparing for a complex migration from Novell with MS Exchange 5.5 to Windows 2000 with Exchange 2000.

I've used the Active Directory Connector to perform Exchange migrations previously and I'm comfortable using it.

I'm planning to use Microsoft's Services for Netware (which includes MS Directory Sync Service(MSDSS)), to migrate user accounts, NDS objects, and file system permissions.

Here's the catch. Users currently exist in both NDS and the NT 4 domain that runs Exchange. When I install MSDSS, as far as I understand, it will copy all the user accounts from NDS (whichever OU's I specify) and create them in AD (and keep them sync'd). When I set up the Active Directory Connector, it will do the same thing from Exchange 5.5 to AD.

Am I going to end up with a bunch of duplicate accounts? If so, how do I avoid this?

Any Ideas?

PSC

 

[Frans222]

Hi,

I see this is a post from august so you are probably way ahead of us as we're preparing a similar migration. I'm looking for some advice and best practices. You probably could be a great help

Sitation we are facing is Novell 4.2 NDS and a NT 4.0 and Exchange 5.5 environment. Connection between the two with NDS for NT.

Goal is to migrate to windows 2003 and exchange 2003. Ugrade of the NT 4.0 environment is not an option.

We're thinking to use Msdss for the migration from Novell and not to use the ADC connector because theoratically we expect the problem you already stated (duplicate accounts).

Could you give us some pointers how you solved your problems and some tips on how you migrated this environment.

Anything helps

Frans

 

[PScottC]

In the end I don't think there is any avoiding duplicate accounts. The problem being that you most likely don't want the NT4 accounts to be migrated.

We used a more brute force method due to time constraints and here's what we did...

We had some trouble getting MSDSS to synchronize the tree properly, so we used it simply to transfer the tree structure, user accounts, and groups from Novell to 2000. There are some DLL and Schema issues in Windows that cause this. We had an open case with Microsoft and they're only Novell migration guy was pretty useless (I was surprised). If you're migrating from Netware 5+, it may not be so bad, but we could not get synchronization working. (It would partially copy the NDS tree, and then fail the rest, and because it was trying to synchronize in 2 directions we accidently deleted part of the NDS OU we were testing on. Needless to say we didn't risk the rest of the tree to get this feature working.)

We transferred the NDS tree to an OU in AD (as diagramed below). We continued having trouble with MSDSS and its file migration utility and just ended up using Robocopy on a migration server to move data from Novell to 2000. Even after completing quite a few DSRepairs the MSDSS file migration utility would work only 50% of the time. When it did work, it would only copy the files but not the permissions. We then recreated the permissions by hand. (In our case it wasn't too difficult.)

After transferring the tree, we used the ADC to create Contacts in AD, not user accounts. In the diagram below you can see the general structure we had with our initial AD setup. It did morph a bit as we cleaned it up post-migration. In any case, the ADC created the contacts in the Exchange Migration folder. When we used the Exchange Migration tool to move the mailboxes to the new system it converted the contact to a user account. At this point you have 2 accounts for the same user. Using the AD Cleanup tool that's included with Exchange, you merge the mailbox account into the old novell account. This tool will connect the mailbox to the correct account and delete the dummy account.

ad.root
|
|
|--Built In
|--Computers
|--Novell Tree
| |
| |--Novell OU
| |--Novell OU
|
|--Migration OU
| |
| |--Exchange Migration
| |--Distribution Lists
|
|--Other Default AD OU's

One last thing... Are you creating a new Exchange Organization and AD, or are you reusing any of those namespaces?

Hope this helps...

PSC

 

[Frans222]

Thanks,

defenitly helped in the discussion we had this morning .

What we are planning at this point is a new Active Directory (new namespace).
Then to use the MSDSS for the migration from novell (ou's, users and files). Mostly because setting NTFS rights by hand is undoable.
For Exchange the plan is to try to use a script to tranfer/copy the SID of the NT 4.0 accounts to the sid history property of the new AD accounts we created with the MSDSS. (we're basically doing by hand something ADMT normaly does ).
We then have a relation between the AD accounts and the NT 4.0 accounts and can use ADC for the connection between AD and Exchange. (Exchange will be installed in the old 5.5 organisation by the way).

We're going to test this aproach sometime next week.

The problems you had with MSDSS makes clear that there is also quite a lot of testing with MSDSS needed before we can safely say that this works. Good warning

Thanks for your reaction.

Frans

 

[Houserocker]

Frans222 & PScottC

I'm in the beginning stages of developing a plan very similar to Frans222. Netware 6 running NDS in a NT domain and wanting to migrate over to w2k3 by the end of the year. Also have a Exchange 5.5 on W2k server. Would like to to keep 5.5 for a little bit after the AD migration and then upgrade to Exch 2k within a month or two afterwards. I'm interested to hear how both migrations went. We currently have a small amount groups (22) and a handfull of users are on the NT side with the remaning on novell. Any help is greatly appreciated.

Thanks Again

I hope that someday we will be able to put away our fears and prejudices and just laugh at people ~ Jack Handy

 

[PScottC]

See my comments above.

I have a suggestion regarding the Exchange/NT migration though... If you don't have good business justification for changing the Exchange organization name, then don't. Do an "in-place" upgrade of your NT4 domain and Exchange 5.5 systems. (The caveat being that you have no Windows 95/98/NT4 clients attaching to your domain.)

Use MSDSS to migrate the User accounts and groups, then use the AD cleanup wizard to merge the duplicate accounts.

PSC

 

[Houserocker]

Thanks for the reply.

The exchange org, site will remain the same so no worries there but it was brought up in pre-planning discussions by the IT director. Sounds like a good idea we scrapped it. My other question is about passwords. Using the MSDSS for user and groups I don't beleive it pulls passwords from the Netware side? am I wrong ? This is kinda a major issue of ours right now in that we want to pull all passwords over from Novell and avoid having all 700 users have to log in that Monday morning and change their passwords all at the same time. How many users did you have ? was this an issue with your company ? Thanks again for your help



I hope that someday we will be able to put away our fears and prejudices and just laugh at people ~ Jack Handy