Академический Документы
Профессиональный Документы
Культура Документы
3. Automatic migration of users domain membership & profile without going to users desk. 4. Migrate existing server account membership along with service accounts.
Test LAB configuration Microsoft Virtual Server environment used for testing. Microsoft Hyper-V used as virtual platform for virtual servers. Microsoft ADMT 3.0 is used for migration. Migration Setup details 1. 2. 3. 4. 5. Old Windows 2003 Active Directory Domain name nitcowrl.com Microsoft SQL 2005 Server which is member of nitcowrl.com domain 5 desktop clients with windows XP SP3 which are members of nitcowrl.com Domain New Windows 2003 Active Directory Domain name nitco.local Migration server with ADMT 3.0 installed which is member of nitco.local Domain
Aim Migrate users (with passwords), Computers & Groups from nitcowrl.com domain to nitco.local Domain. Migrate SQL server service account to nitco.local domain. Change member ship of SQL server & XP clients from nitcowrl.com domain to nitco.local domain Migration Steps Migration should be done in 2 steps 1. Prepare domains for migration 2. Migrate objects from old domain to new domain
Enter new domain FQDN in DNS domain option & click OK.
Enter IP Address for new domain & click Add Click Apply OK.
New Domain
DNS Server for new Domain
Creating 2 way Trust between domains Logon to any of the Domain Open Active Directory Domains and Trusts in Administrative Tools.
Go to properties of Domain
Select Two-Way
After successfully creating trust, it will give message that by default SID Filtering is enabled. We have to manually disable SID Filtering after words
This will create .pes file in c:\ of ADMT server. Copy .pes file to old domain controller
Installing Password Export Server Service on old domain controller 1. Logon to old domain controller 2. Download and run pwdmig.msi file on old server
Click Browse & mention .pes file path which was copied
Work not complete yet. We need to modify following registry entry to 1 after installation. HKEY_LOCALMACHINE\System\CurrentcontrolSet\Control\LSA\AllowPasswordExport
By default Password Export Server Service set to Manual startup. We need to start the service
We can verify SID of an object before & after migration using ADSIEDIT tool SID before migration
Creating OU & Group Policy for migration Create a new OU for migration on both servers. We created OU named Migration OU Move all computers to that OU on source server. We need to disable firewall on all XP clients & add migration account (new domains Administrator Account) to Local Administrators group on all source domain computers Note Create Firewall Disable Group policy on both domains OU No need to create Local Admin Group policy on New Domain Creating Group policy to disable firewall Logon to old Domain Open Active Directory Users and Computers open Migration OU Properties
Create new group policy called Migration Group Policy & then Click Edit
Go to Computer Configuration Administrative Templates Network Network Connections Windows Firewall Domain Profile And disable Windows Firewall: Protect all network connections
Go to Computer Configuration Administrative Templates Network Network Connections Windows Firewall Standard Profile And disable Windows Firewall: Protect all network connections
Creating Group policy to add target administrator to local Admin account on source computers Note Before creating this group policy, create a security group called migraton on New domain controller and add new domain Administrator to this group Go to Computer Configuration - Windows Settings Security Settings Restricted Groups right click & click Add Group
By default it will show old domain in locations option, change to new domain. & select migration group which was created & click Ok
Click OK
After adding members, in This group is a member of: option click Add
Add new domain Administrator account to old domain Builtin Administrators Group Note This is very important task & must be perform before starting migration. Logon to old domain controller Open Active Directory Users and Computers Click on Builtin & open Administrators Group Properties
Click Add
In Locations option, select new domain & select Administrator & click OK
Servers & clients preparation is completed. Now we are ready for migration. Important Note 1. If Old Domain controller OS is Windows 2000 then sometimes it may give problem to migrate SID. In this case it is recommended to add additional DC of 2003 in old domain forest & transfer FSMO roles to Windows 2003 DC & then do migration 2. If new Domain controller OS is windows 2008 then we must Enable following Group Policy in "Default Domain Controller Policy"
http://support.microsoft.com/kb/942564
Migration
Users Migration We can migrate multiple users at a time but it is recommended to move 1 user at first time & check. Logon to migration server using administrator account & open Active Directory Migration Tool
In select Target OU select Migration OU, which was created on new server.
Select Migrate passwords. Password migration source DC will be selected automatically which was already configured on old DC. Click Next
Select Target same as source. It is recommended to disable source accounts so that users can not logon to old domain again It is very important to select Migrate user SIDs to target domain
Enter source domain Administrator username & password, and then click Next
Select Update user rights & Fix users group memberships and then click Next
Migration status will be displayed. You can view migration log. Click close.
Groups Migration Right click on ADMT & run Group Account Migration Wizard
Select Source & Target domain / domain controller & click Next
Enter source domain Administrator username & password, and then click Next
Computer Migration Note Client Computer must be Online while running Computer migration wizard, because at the end of migration wizard, it will change computers domain membership automatically & remotely reboot the computer. If computer is off while running wizard then we have to MANUALLY change computers domain membership. Do not logon to computer after rebooted by ADMT wizard, because we need to run Security Translation wizard to automatic users profile migration to new domain. If by mistake client logs to new domain without completing Security Translation wizard then logon to computer using local admin account & delete new domain profile. Again run Security Translation wizard & then logon to computer again. Following are the steps for computer & profile migration 1. 2. 3. 4. 5. 6. 7. 8. Run computer migration wizard & migrate computer At the end of the wizard, change computers domain membership It will reboot computer remotely Wait till computer reboots & then close wizard Do not logon to migrated computer Run Security Translation wizard Logon to computer to new domain. Clients old profile will be appear in new profile. No need to manually copy profile
Detailed Steps Right click on ADMT & run Computer Migration Wizard
Do not select any Translate objects. Translation wizard should be run after completing computer migration wizard
Run Pre-check before running agent operation (Changing computers domain membership)
After successful agent operation, computers will automatic reboot. After computer reboots properly post-check will also show successful. Wait till Post-check task shows successful
Click Close
Security Translation Wizard Right click on ADMT & run Security Translation Wizard
Select Run pre-check & click Start. Wait until pre-check shows Passed
Select Run pre-check and agent operation & click Start. Wait until Agent Operation shows Successful. Then click Close
After completing this task, please logon to new domain from clients computer. You will find clients old domain profile migrated to new domain profile.
Servers Migration Migration of server account is similar to desktop computers. Only difference is that we have to Migrate Service Account using Service Account Migration Wizard. Steps to Migrate Servers to new domain 1. 2. 3. 4. Migrate Server computer account using Computer Migration Wizard Migrate service account using Service Account Migration Wizard Migrate Service account user using User Migration Wizard Run Security Translation Wizard to migrate profile
Service Account Migration Right click on ADMT & run Service Account Migration Wizard
Select Run pre-check & click Start. Wait until pre-check shows passed
Select Run pre-check and agent operations & click Start. Wait until Agent Operation Shows successful
Click Close after completing operation. Migrate all users, Groups, Computers, servers & service accounts to new domain.
Post Migration tasks After successful migration do following tasks 1. 2. 3. 4. 5. Shutdown old domain controller & check functionality If entire network working fine then restart old domain controller Change all clients & Servers DNS settings to new DNS server, if not changed Remove trust between old & new domain. Shutdown & remove old domain from organization