none
Merging Child Domains to parent domain with exchange server present RRS feed

  • Question

  • Hi,

    Good Day!!

    We are planning to do an Active Directory Migration.

    The scenario is: parent.local,child1.parent.local,child2.parent.local

    Parent.local is having all domain controllers with Windows Server 2012 R2

    Child1.parant.local is having one domain controller as windows Server2008R2 and the other one is Windows Server 2003.

    Child2.parent.local is having all the domain controllers in Windows Server 2003.

    An Exchange organization is present in the forest. But separate AD accounts are created in the parent domain for child domain users for assigning mailboxes. So in effect child domain users have separate account for logon and authentication in their respective child domain and an additional account is present in parent domain for email purpose.

    Now the customer is planning to merge all domains together.

    Customer conditions:

    Customer wants to retain the account in the parent domain for all users. All existing permission on their file servers which is currently in child domains need to be retained. users profile data should be retained with all relevant permissions after the migration.

    Could you please suggest the best practice to get it done.

    Sunday, September 20, 2015 7:12 AM

Answers

All replies

  • Hi

     You can migrate users&groups with ADMT tool from child to parent,

    check for admt

    https://technet.microsoft.com/en-us/library/cc974332%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    And you can do corress foret mailbox move for move user to parent domain

    check this

    http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx

    All existing permission on their file servers which is currently in child domains need to be retained>>>>You will migrate file server with NTFS permissions by using Robocopy

    Check for robocopy

    https://technet.microsoft.com/en-us/library/cc733145.aspx?f=255&MSPPError=-2147217396

    After migrate file server to parent domain,you can copy share permissions manually(also the permissions still existed on child domain)

    http://www.petenetlive.com/KB/Article/0000427.htm


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Sunday, September 20, 2015 10:27 AM
  • Dear Burak,

    Thanks for your reply. I think I was not clear in my question.

    Customer has 3 domains

    Parent and 2 child domains.

    Now the customer no more require the 2 child domains. The customer does not want to migrate the user or group account as they have already user accounts available for the child domain users in parent domain. They created this additional user accounts in parent domain for the child domain users to assign mailboxes. (May be they didn't knew that the same child domain users can be used to assign mailboxes.)

    Customer wants to retain the parent domain accounts for the child domain users, as it already has been used for creating email addresses.  (Remember they already have created a separate account for the child domain users in the parent domain, for assigning mailboxes). However, they want to retain the permissions of their file server which actually provided using the child domain user account, which they do not want to migrate to parent domain. 

    Is there any workaround for this? Or would you be able to advice me on this. 

    Thanks in advance

    Jobish George

    Tuesday, September 22, 2015 10:37 AM
  • > they want to retain the permissions of their file server which actually
    > provided using the child domain user account, which they do not want to
    > migrate to parent domain.
     
    You mean they put user accounts in these permissions instead of groups?
     
    Anyway - icacls can save and restore ACLs, the saved ACL can be parsed
    and SIDs replaced.
     
    Or you leverage SID history in the parent domain. But I'm unsure if this
    works when child domain is decommissioned...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, September 22, 2015 11:20 AM
  • Hi Martin,

    Thanks for your updates.

    they used AD Groups to maintain permissions. but two three user based permission assignments are also there.
    In my test lab, I just reanimated the scenario. the merger process went smooth, however, when I shut down the child domain DC's they are not able to access the file shares, as it says access is denied. 

    How would we tackle this situation?

    by the way, I couldn't get it properly "Anyway - icacls can save and restore ACLs, the saved ACL can be parsed". Can you be a bit elaborative on it and SIDs replaced.

    Many thanks

    Jobish


    Monday, March 7, 2016 5:24 AM