none
Migrate Servers and computers to a new domain in a new forest without trust relationship

    Question

  • Hello everyone,

    Wich is the best way to migrate servers and computers from actual domain (Windows 2000 mixed mode) to another domain in another operational new forest without stablishing any kind of trust relationship between them?

    I have to migrate file servers, sql 2000 servers, isa 2000 server.

    The plan we have to perform states that we have to first install a new DC in the new forest and then start creating new user accounts (not migrating them), groups, etc. Then moving servers and finally moving users.

    I can´t imagine how to match existing permissions over servers after migration to the new domain.

    Please any advice will be much appreciated.

    If need more information I can provide it.

    Thanks
    Federico

    Thursday, October 01, 2009 7:50 PM

Answers


  • Hi,

    You will have to take all the server out of the current domain by making them member of a workgroup instead of the old domain and then join them to the new domain.

    You also say that new user accounts and groups will be created in the new domain, but you also say that you want to move users. To move users from one domain to another you will have to connect the two domain to each other.

    If you create new users and groups in the new domain you willl have to recreate all domain groupmemberschip on all servers (your fileserver, sql server and isa server) for all users again (there will be no SID history)

    Danny.




    Saturday, October 03, 2009 9:23 AM
  • Hello,

    the way you like to do it will NOT work. When you follow your steps described or from Danny van Dam, you loose the old domain and have to do everything from scratch.

    Also SQL will create problems after joining to a new domain, chekc this within a SQL forum/newsgroup BEFORE.

    You can not takeover any permissions for user accounts, so all have to be configured new also.

    Basically without creating a trust you can not do a real migration. It is a more or less complete new built of a domain with adding some old servers.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, October 04, 2009 1:35 PM

All replies


  • Hi,

    You will have to take all the server out of the current domain by making them member of a workgroup instead of the old domain and then join them to the new domain.

    You also say that new user accounts and groups will be created in the new domain, but you also say that you want to move users. To move users from one domain to another you will have to connect the two domain to each other.

    If you create new users and groups in the new domain you willl have to recreate all domain groupmemberschip on all servers (your fileserver, sql server and isa server) for all users again (there will be no SID history)

    Danny.




    Saturday, October 03, 2009 9:23 AM
  • Hello,

    the way you like to do it will NOT work. When you follow your steps described or from Danny van Dam, you loose the old domain and have to do everything from scratch.

    Also SQL will create problems after joining to a new domain, chekc this within a SQL forum/newsgroup BEFORE.

    You can not takeover any permissions for user accounts, so all have to be configured new also.

    Basically without creating a trust you can not do a real migration. It is a more or less complete new built of a domain with adding some old servers.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, October 04, 2009 1:35 PM
  • Thanks you both for your reply. So what I was thinking is correct. What will you do in my place if you have to face this limitations and move the servers to the other domain without any kind of trust relationship?

    I am planning to review each server and take note of every application, services, permissions and accounts that are being used today. With this information I will study the impact of the migration on each server, the risk, and the ways to mitigate those risks.

    Does anybody knows if there is any tool that could help me to collect this information (services, accounts, permissions, etc) or to simulate what will happen if I change a server from one domain to the other?

    thanks for your comments again

    Federico

    Wednesday, October 07, 2009 2:46 AM
  • Hello,

    you can export/import SOME, not all, settings from/to AD:
    http://support.microsoft.com/kb/237677

    Pur file servers you can remove and add to the other domain, BUT all permissions must be configured again, no way around this as far as i know without having a trust for account/SID migration.

    For SQL still no changes.

    Never heard about simulation tools.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 12, 2009 7:37 AM
  • Dear Federico,

    You can do this with the help of ADMT (Active directory Migration Tools)

    We did it successfully , actully recently we migated all servers and users from old domain to new domain with this tool.

    Hope this will help you ,Its better if you read about that tool.

     

    Regards,

    Azhar


    AM
    • Proposed as answer by Azhar Munawar Tuesday, May 10, 2011 9:24 AM
    • Unproposed as answer by Azhar Munawar Saturday, June 18, 2011 2:58 PM
    • Proposed as answer by Azhar Munawar Saturday, June 18, 2011 2:58 PM
    Tuesday, May 10, 2011 9:24 AM
  • BinaryTree offers the SMART Active Directory Migration Suite that allows AD migration with or without trust relationship being in place.

    http://www.binarytree.com

    The software approach does not rely on sIDHistory alone. If a trust can not be established the software console is installed in both the source and target domains and actions are performed in the required domain independently of each domain.

    Once the collection of AD accounts (users, groups workstations and servers) and the recreation of accounts in the target domain  is complete, the source domain workstations and servers are re-ACLed to support the newly created accounts of the target domain.

    The unique quality of the SMART Active Directory Migration Suite is the ability reset (overide DHCP) DNS server and DNS Suffix list order to reflect that of the destination domain. Once this is accomplished, thecomputers can be remotely migrated into the new domain.

    At this point the workstations and servers are migrated to the target domain, the users log in to their workstations and maintain their profiles, settings and retain access to resources on servers.


    Microsoft Enterprise Solution Group

    Friday, June 21, 2013 5:08 PM