none
Advice needed on company merger migration

    Question

  • Hi all,

    I am in the situation where I need to merge another company into ours. They are only 30 people so the task should not be completely overwhelming. However i need to do a few things, and was hoping i could get some advise on how to go about this?

    1. Move their user accounts over to our domain

    2. Move their desktop computers over to our domain

    3. Copy the data from their file server and over to ours

    4. Move some of their production servers over to our domain

    Obviously there are a lot other task, but these are just the 4 i need to concentrate on. here is what i have thought about

    1. Imported and created all their user accounts from a CSV file into our domain.

    2. On the migration date we will remove their desktop computers from their domain and over to ours.

    3. use robo copy to copy files from their file server and over to ours. Do it a bit in advance and then run on the day to copy changes. Need to re-create shares and add users to the shares.

    4. Remove some domain production servers from their domain and join them to our

    All of this is very manual and i wondered if there was a more automatic approach? mainly on the file server i predict I will miss a few shares or miss a few users who needs access to shares.

    I looked at AD migration tool from MS and also at Fileserver Migration tool from MS. but not sure they are good in this situation. was hoping someone could give some advise?

    Regards

    Ronnie


    ronnie.jorgensen systems engineer

    Saturday, February 09, 2013 4:22 PM

Answers

All replies

  • Hi Ronnie,

    what you might want to try is to create a Two Way Transitive Trust between the 2 Forests, then using Active Directory Migration Tool, (ADMT), and Password Export Server, (PES), you would be able to migrate all user accounts with SID's and history as well as the systems from the source domain to the destination domain. Do you need to migrate Exchange also? If so, you can do it as 1 big excercise; migrate the mailbox with the user account. If you migrate the SID and history, the requirement to change password is forced upon the user upon "first logon", but this can be changed with a bit of work in ADSI-Edit.

    That should give you a bit direction on the AD and Exchange side of things, and you can use the File Server Migration Tools, (fsmigrate_x86.msi and fsmigrate_64.msi respectively).

    After that a bit of App Service migration and flatten the old boxes to be re-used. You could always, P2V the App servers to your own hosts, and with a bit of DNS and Firewall work have them running in your own environment, but continuing to run the Apps and Services which would buy you more time to plan a full Service Migration.

    regards

    Robert

    Saturday, February 09, 2013 5:45 PM
  • 1. Need to setup the DNS

    You can go one of above.

    2. Need to create the Trust

    How to Create Two way Transitive Trust – Windows Server 2008 R2

    http://social.technet.microsoft.com/wiki/contents/articles/13906.how-to-create-two-way-transitive-trust-windows-server-2008-r2-en-us.aspx

    3.Use ADMT for users, Groups,password, computer migration, User profiles

    http://blog.thesysadmins.co.uk/category/admt

    ADMT Ver 3 for 2003

    ADMT Ver  3.1 2008

    ADMT Ver 3.2 2008R2

    As of now Windows 2012 does not support the ADMT. However there is some other work arrround.

    4. Permission is required for ADMT

    http://portal.sivarajan.com/2010/04/admt-service-account-permission-and.html

    Post us if you will face any issue; will try to fix that.


    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    Sunday, February 10, 2013 2:30 PM
  • Hi Biswajit,

    That is really good info. I looked at ADMT earlier on youtube, it does not look too difficult. have 2 questions though

    1. In this new branch office which is going to be connected via our MPLS network, obviously the DC that i put in, in this new office can get network connectivity with their old IP range. but do i need to ensure connectivity from all the other branch offices that we have? we have 4 others.

    I was hoping with some DNS trick i can make it work. maybe a forwarder to my DC in their office so that all other DC's know to go to that DC for name resolution. then on the DC in that office forward to their DC?

    2. actually moving their PC's from their domain and over to theirs, is that something ADMT can do or do i need to use a startup script with netdom move? So far the plan is to disjoin their computers from their domain and then join on to ours.

    Ronnie


    ronnie.jorgensen systems engineer

    Sunday, February 10, 2013 4:34 PM
  • It is always good practice if the Network is IP routeable(ADDS Prospective). If not that is not an issue. Before creating the trust you need the connectivity for two sites(Trusted domain site and trusted domain site). 

    "disjoin their computers from their domain and then join on to ours" -You can do that if you want. In addition.Computer Migration

    All about ADMT

    ADMT Series – 1. Preparing Active Directory
    ADMT Series – 2. Preparing the ADMT Machine
    ADMT Series – 3. SID History
    ADMT Series – 4. Password Export Server
    ADMT Series – 5. Machine Preparation
    ADMT Series – 6. Service Account Migration Wizard
    ADMT Series – 7. Group Account Migration Wizard
    ADMT Series – 8. User Account Migration Wizard
    ADMT Series – 9. Merging Users with a Different sAMAccountName
    ADMT Series – 10. Security Translation Wizard - Local Profiles
    ADMT Series – 11. Computer Migration Wizard

    I would suggest create ADI STUB zone for creating the trust so you no need to worry for each DC(Name resolution for trusted domain & trusting domain).

    For checking the DNS use nslookup. If nslookup output seems ok ;You can able to create the trust.

    cmd---nslookup
    set q=srv
    _ldap._tcp.dc._msdcs.trusteddomain.com
    _ldap._tcp.gc._msdcs.trusteddomain.com
    _ldap._tcp.pdc._msdcs.trusteddomain.com
    _ldap._tcp.dc._msdcs.trustingdomain.com
    _ldap._tcp.gc._msdcs.trustingdomain.com
    _ldap._tcp.pdc._msdcs.trustingdomain.com

    If above test is passed we can say DNS seems OK.


    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    • Edited by bshwjt Monday, February 11, 2013 4:20 AM
    Monday, February 11, 2013 3:22 AM
  • Hi Biswajit

    Sorry for this again, I am just talking to my network admin about this and I am not 100% clear if i need every domain controller in my domain to have network (TCP/IP) connectivity to the other company's DC's. Or if i just need to have my local DC in their office to have TCP/IP connectivity to their network. If i just need the new DC in their office to have TCP/IP connectivity to their DC and then set up DNS then it would be a lot easier.

    Hope above makes sense. Basically i have 2 DC's in every office. i have 4 offices plus a datacentre. the new office (their company) will be the 5th office. 

    Thank you again. you really do give brilliant help.

    Ronnie


    ronnie.jorgensen systems engineer

    Monday, February 11, 2013 9:36 AM
  • At least one DC should be pingable for creating a trust. Suppose we are creating a trust for  microsoft.com with contoso.com.

    one DC from microsoft.com should be pingable from contoso.com & vice versa and all AD standard ports should be opened for both the DCs.hope you got your answer.

    If all the brances are pingable with each others that is the best.if all the braches are not pingale with each other that does not mean that you are not able to create the trust.

     

    Regards
    Biswajit Biswas

    My Blogs|MCC|TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin







    Monday, February 11, 2013 11:40 AM
  • Hi Biswajith

    I managed to get the 2 way forest trust to work in a test lab, however i had to change the name of one of the domain controllers. they where both named DC1 in their own domain. Would you know why?

    2 domains - rippie.local and testlab.local

    DC1.rippie.local and DC1.testlab.local

    rippie.local on 192.168.10.0/24
    testlab.local on 192.168.20.10/24

    both DC's can ping eachother on IP and on FQDN. I did notice however when i set up the ADI STUB zone that it validated but the FQDN of the "other" server only showed hostname, not FQDN of the DNS server on the other side.

    This did cause the 2 way trust to fail to complete and I had to rename one domain controller and then it all worked.

    also how does it work with client computers and their IP's obviously they dont change when you migrate users and computers over. is there any work i need to do on this front?

    Ronnie


    ronnie.jorgensen systems engineer

    Monday, February 11, 2013 7:40 PM
  • 1.DC1.rippie.local and DC1.testlab.local does not recomended by MS. Mean same DC name for both the domains is DC1.

    2. Create reverse lookup zone accordingly so nslookup seems good.

    3. See this for DC NIC settings(I would recomend DC IP self point for primary DNS).

    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    In addition,

    Known Issues for Creating Domain and Forest Trusts

    Review the following known issues before creating domain and forest trusts in Windows Server :

    <> You cannot delegate the creation of trusts to any user who is not a member of the Domain Admins group or the Enterprise Admins group. Even though you can grant a user the Create TDO (Trusted Domain Object) right or the Delete TDO right in the System container of a domain, the user will not be granted the right to create a trust. This issue occurs because Netlogon and the trust-creation tools (Active Directory Domains and Trusts and Netdom) are designed so that only members of the Domain Admins group and the Enterprise Admins group can create trusts. However, any user who is a member of the Incoming Forest Trust Builders group can create one-way, incoming forest trusts to your forest.

    <> When you are logged on locally to a domain controller and you try to create a new trust by using Active Directory Domains and Trusts, the operation may be unsuccessful and you may receive the message “Access denied.” This issue occurs only if you are logged on locally to the domain controller as an ordinary user (that is, you are not logged on as Administrator or as a member of any administrative groups for the domain). By default, ordinary users are blocked from logging on locally to a domain controller unless Group Policy is modified to permit this.

    <> When you use the Active Directory Domains and Trusts snap-in to create a trust, you may receive the message “Operation failed. Parameter incorrect.” This issue may occur if you try to establish a trust relationship when the source domain and the target domain have one or more of the following identifiers that are the same:

    <> Security identifier (SID)

    <> Domain Name System (DNS) name

    <> NetBIOS name

    To resolve this issue, do one of the following before you try to create the trust, as appropriate to your situation:

    <> Rename the conflicting identifier.

    <> Use a fully qualified domain name (FQDN) if there is a NetBIOS conflict.

    <> The option to create a forest trust may not appear in the New Trust Wizard. This issue typically occurs when one or both of the Windows Server 2008 forests are not set to the Windows Server 2003 forest functional level or higher. For more information about forest functional levels, see Active Directory Functional Levels Technical Reference (http://go.microsoft.com/fwlink/?LinkId=111466

    <> You cannot create a trust relationship with a Microsoft Windows Small Business Server 2003 (Windows SBS) domain. For information about Windows SBS software, see Introduction to Windows Small Business Server 2003 for Enterprise IT Pros (

    http://go.microsoft.com/fwlink/?LinkId=121891

    One key point; Audit should be enabled in AD infratructure when you are migrating objects else you will get promt/error. Enable below settings from default domain controller policy.

    Read the below link ; you will get lots of good infos regd. TRUST.

    http://www.frickelsoft.net/blog/?p=211


    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin






    • Edited by bshwjt Tuesday, February 12, 2013 12:24 PM
    Tuesday, February 12, 2013 2:43 AM
  • Hi Biswajit

    I just want to say a big thank you !! this thread is now going to be my bible for AD migration. Never had this good response from anyone on TechNet. Thank you.

    Could I ask you having a look at this post? http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/0a68ca7d-6498-4d01-a33b-053d04763cea

    It is for Exchange 2010 and renaming/migrating domain.

    My latest thought is to create a new domain (not child) in the same forest as my old domain and install 2 exchange servers there and then migrate mailboxes over to those 2 domain controllers along with everything else. users, groups and computers. My thoughts might be wrong but if you can help in any way I would appreciate it.

    Regards
    Ronnie


    Tuesday, February 12, 2013 9:01 PM
  • Related Exchange ; you can put your query in exchange forum. Thank you too for given infos are helpful for you.

    Regards
    Biswajit Biswas

    My Blogs|MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    • Edited by bshwjt Wednesday, February 13, 2013 5:18 AM
    • Marked as answer by ronnie.jorgensen Monday, March 04, 2013 7:13 AM
    Wednesday, February 13, 2013 5:17 AM