locked
ADMT: Domain De Novo RRS feed

  • Question

  • Hi Folks,

    A recent question to this forum has redirected me FROM ldifde to ADMT, probably for the better.  We'll see.  Let me explain what I am doing because, although I don't think it is unusual, the documentation never discusses this particular migration scenario: Domain De Novo: Deploy all new and migrate only the important stuff leaving behind all the legacy junk.

    This is a migration, not among domains, but from one version of a domain to an entirely new and separate version of the same domain.

    Old:Windows Server 2003 Domain Controller for the domain TCLC.org with a set of XP desktops.  The Domain Controller is also running Exchange Server.  

    New:Windows Server 2008r2 also for the domain TCLC.org with a set of Windows 7 desktops. The previous domain controller will be demoted to a member server and will continue with it's Exchange Server role, until I can migrate that also in the future.

    Notice in particular that I have two separate networks because they each have a domain controller for the same domain.  They are separated by a firewall, so communication between them is cumbersome, but not impossible.

    The fly in the ointment is that both machines think they are the domain controller for TCLC.org and they are both right, but the Migration wizard can't understand this.  As soon as I specify the domain, the wizard assumes the new DC...

    Does anybody have any advice about how to explain this apparently unique situation to the ADMT wizards?

    Thanks for the help,

    Chris.


    Thanks for the help,

    Chris.

    Sunday, June 3, 2012 7:36 PM

Answers

  • Hello,

    thanks for the explanation about your reasons, it is sometimes not to understand why people are doing lot more work then basically required.

    I like to mention that even not Microsoft recommends to install Exchange on DCs, doesn't matter which OS version, except SBS but that is especially built for. Also SQL and CA are not recommended to be installed on DCs. Basically a DC should always run AD/DNS/GC that's it, best option for backup/restore and also security.

    If you like to start new, which is to understand, and don't like to find answers to all problems and error, be aware some errors are still ok and can be ignored depending on the installation, then the migration is the way to go.

    For Exchange migration in the future, the easiest option is to export all mailboxes to .pst files and import them in the new Exchange server. For Exchange 2000 export see Exmerge(maybe download the tool before it will not be available anymore) http://support.microsoft.com/kb/327304/en-us Keep in mind that Exchange 2000 is out of support also.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, June 5, 2012 5:46 AM

All replies

  • Hello,

    there is NO way with ADMT to migrate 2 domains using the same domain names. If you need the same names then you have to migrate over a temporary domain name and then go to the correct one.

    And ASSURE there NO connectivity between the current running domains with the same names. Best option is to disconnect them complete.

    Additional it is NOT recommended to run Exchnage on domain controllers, even not from Microsoft.

    And why don't you just add a new OS DC to the existing domain?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 4, 2012 5:43 AM
  • The minimum prerequisite to use ADMT tool is trust relationship between two domain & if the either of the below condition is true, you can establish the trust & if no trust then u can't use ADMT tool.

    Quoted from the technet

    Before the Local Security Authority (LSA) creates the trust, the LSA verifies the consistency of the parameters. Between the new trust partner and all other domains that are in the same forest as the trust partner, the following items must be unique:

    • The NetBIOS name of the domain
    • The fully qualified domain name (FQDN) of the domain
    • The security identifier (SID) of the domain

    You cannot create the trust if one of the three items has duplicates.

    http://support.microsoft.com/kb/930218

    Either, create a temporary domain or purge the new domain with same domain name & create a new domain again before you can use ADMT.

    Note: Quest tool can perform migration without trust relationship but it won't migrate SIDHistory.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:48 AM
  • Please make sure that source and forest domains have:
    *Different DNS domain names
    *Different NetBIOS names

    If the above name are same then you cannot migrate using ADMT.Both the domain will fail to understand each other.

    If you want to migrate user from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand nuances of ADMT and its working before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.

    ADMT Guide: Migrating and Restructuring Active Directory Domains
    http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    How to configure a firewall for domains and trusts
    http://support.microsoft.com/kb/179442

    ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.

    If you have a lot of mailboxes to migrate my recommendation is to consider a third party migration tool or a custom solution for mail routing (you can use a dummy SMTP address in the targetAddress attribute and a SMTP connector during the migration/co-existence to achieve this).

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, June 4, 2012 10:26 AM
  • Hi Folks,

     

    Thanks very much for the advice.  I think the answer is to install a Windows Server 2008r2 on a virtual machine and make him a DC for an intermediate domain, then I can migrate my users from old to intermediate to new.  Migrationproblem solved.  I don't know if this is what Meinolf Weber meant by his suggestion or not.

    I appreciate the caution and the advice you folks have provided; much of it was already apparent, but caution is always worth repeating.  As a result, I have NOT done anything stupid, and the project delay from seeking advice was well worth the investment.


    Thanks for the help,

    Chris.

    Monday, June 4, 2012 2:35 PM
  • Hello,

    if you will really install a new domain with the smae name, yes that was what i mentioned.

    But why don't you just add the DC to the existing domain? I can see no reason to do it your way until now from your description.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 4, 2012 4:22 PM
  • Hi Meinolf,

    Why don't I take the "join/promote" route?  I did.  It was two weeks of trouble.  I installed Exchange on the current DC when I was young and foolish, and there are other "interesting" decisions I made over the years, all of which I think combined to produce this bizarre level of trouble.  Things seemed to be stable but there were large numbers of errors in the logs that I just could not clear!  And we both know that errors are reported for a reason; you ignore them at your peril.  So I decided on the domain de novo route as the lesser of two evils.  So far there have been FAR fewer problems and the few I have encountered, you guys have helped me solve.  There are/were two problems: 1) migrate the users and 2) what do I do about Exchange 2000 on the old DC?

    1) has now been completely solved in a supported way.  I can create a bridge domain to migrate my users from old to new.  This requires a bit of juggling trusts, but this is not a big deal and clearly the best alternative.  Trusts were designed to be made and broken.

    2) I have hidden the Exchange server on a physically separate LAN from the LAN hosting my new domain, and I have a NAT allowing inbound connections to him.  My new domain has access to Exchange as though he was right here.  I don't even have to demote him as a DC.  He can just sit there all by himself happily serving Exchange.  So I have a stable e-mail solution until I can address that as its own project.

    I hope this explains my admittedly unusual approach.


    Thanks for the help,

    Chris.

    Tuesday, June 5, 2012 12:19 AM
  • Hello,

    thanks for the explanation about your reasons, it is sometimes not to understand why people are doing lot more work then basically required.

    I like to mention that even not Microsoft recommends to install Exchange on DCs, doesn't matter which OS version, except SBS but that is especially built for. Also SQL and CA are not recommended to be installed on DCs. Basically a DC should always run AD/DNS/GC that's it, best option for backup/restore and also security.

    If you like to start new, which is to understand, and don't like to find answers to all problems and error, be aware some errors are still ok and can be ignored depending on the installation, then the migration is the way to go.

    For Exchange migration in the future, the easiest option is to export all mailboxes to .pst files and import them in the new Exchange server. For Exchange 2000 export see Exmerge(maybe download the tool before it will not be available anymore) http://support.microsoft.com/kb/327304/en-us Keep in mind that Exchange 2000 is out of support also.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, June 5, 2012 5:46 AM