none
Migrate AD users and their passwords between separate domain with no trust RRS feed

  • Question

  • Hi There!

    We are just wondering how we can migrate users and their passwords from a windows 2008 AD server to another one. These two DCs are located in completely separate networks and not allowed to put them in the same forest.

    Thanks,

    Ged.

     

     

    Wednesday, September 29, 2010 8:08 PM

Answers

  • Thanks for your swift reply. Am not sure what tools are out there but we are planning to move multiple users from one DC to another. From your reply it appears that we won't be able to use ADMT. The reason is we are not planning to create the trust between the DCs because of regulatory issues. Hence, from what has been suggested by both of you above it looks like we should use Quest software. The accounts are used by users to access asp.net based web application. Any idea what would limitations of the Quest tool be to the web users when they trying to authenticate after we migrated them to the new DC?

    Thanks,

    Ged.


    You can do this via trust but not how you might normally think about it.

    Build out a new dc in your source domain and allow it to replicate properly, be sure that it is a dc/gc and dns server.  Disconnect this dc from the current domain and expect to NEVER connect to this domain again.

    Do a metadata cleanup of this dc:

    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx

    Move this DC to the new forest and now create a trust between the two domains with this newly created DC that was just removed.  You may need to seize the fsmo roles and then establish a trust and use ADMT to migrate across the accounts, etc...

    If you can go this route, remember you won't be able to migrate across any of the machines and the permissions associated with the users since you didn't have the two joined at time.

    If this doesn't pass regulatory issues then you will have to look at exporting your users with LDIFDE or something similar.

    http://support.microsoft.com/kb/237677

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

     

     

     

    • Marked as answer by Bruce-Liu Friday, October 15, 2010 11:21 AM
    Thursday, September 30, 2010 12:01 PM
    Moderator

All replies

  • Are talking about migrating a users from one domain to another?  What tool are you planning to use?

    If you are using ADMT, you can’t do this without a domain trust.

    If you are using Quest, you can perform the migration without trust.  But there will be some limitations like, you won’t be able to use SIDHistory etc etc.

    Regardless of which migration tool you use, you need to name resolution between domains. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Wednesday, September 29, 2010 8:15 PM
    Moderator
  • Can you temporarily create a trust just to complete a migration?  You can use ADMT or a third party tool (Quest NetIQ).  With ADMT you can use the password export server.

    They would not have to be in the same forest in order to setup the trust.  When you are done migrating you can remove the trust.

     

    Thanks

    Mike


    http://adisfun.blogspot.com;
    Wednesday, September 29, 2010 8:16 PM
  • Thanks for your swift reply. Am not sure what tools are out there but we are planning to move multiple users from one DC to another. From your reply it appears that we won't be able to use ADMT. The reason is we are not planning to create the trust between the DCs because of regulatory issues. Hence, from what has been suggested by both of you above it looks like we should use Quest software. The accounts are used by users to access asp.net based web application. Any idea what would limitations of the Quest tool be to the web users when they trying to authenticate after we migrated them to the new DC?

    Thanks,

    Ged.

    Wednesday, September 29, 2010 8:36 PM
  • Before making the decision on a migration tool, you need to come up with your requirements. 

    How many users are computers are you planning to migrate?  Do you need to use SIDHistory during the migration? 

    You need to have name resolution between 2 AD domains. Can you enable DNS forwarding? 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Wednesday, September 29, 2010 8:56 PM
    Moderator
  • It is actually possible to perform migration usign ADMT without trust in place - although this will require creating matching accounts in both domains (same username/password) and using those to carry out migration

    The process is described at http://technet.microsoft.com/en-us/library/cc719892(WS.10).aspx - it deals with SBS (due to its inherent limitation) - but you should be able to apply it to "standard" AD domains as well...

    hth
    Marcin

    Thursday, September 30, 2010 11:15 AM
  • Thanks for your swift reply. Am not sure what tools are out there but we are planning to move multiple users from one DC to another. From your reply it appears that we won't be able to use ADMT. The reason is we are not planning to create the trust between the DCs because of regulatory issues. Hence, from what has been suggested by both of you above it looks like we should use Quest software. The accounts are used by users to access asp.net based web application. Any idea what would limitations of the Quest tool be to the web users when they trying to authenticate after we migrated them to the new DC?

    Thanks,

    Ged.


    You can do this via trust but not how you might normally think about it.

    Build out a new dc in your source domain and allow it to replicate properly, be sure that it is a dc/gc and dns server.  Disconnect this dc from the current domain and expect to NEVER connect to this domain again.

    Do a metadata cleanup of this dc:

    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx

    Move this DC to the new forest and now create a trust between the two domains with this newly created DC that was just removed.  You may need to seize the fsmo roles and then establish a trust and use ADMT to migrate across the accounts, etc...

    If you can go this route, remember you won't be able to migrate across any of the machines and the permissions associated with the users since you didn't have the two joined at time.

    If this doesn't pass regulatory issues then you will have to look at exporting your users with LDIFDE or something similar.

    http://support.microsoft.com/kb/237677

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

     

     

     

    • Marked as answer by Bruce-Liu Friday, October 15, 2010 11:21 AM
    Thursday, September 30, 2010 12:01 PM
    Moderator
  • Good suggestion Paul.  If you are planning to migrate only users and their passwords (no computer objects) you can use that option.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Thursday, September 30, 2010 5:34 PM
    Moderator