Академический Документы
Профессиональный Документы
Культура Документы
•Overview
•Preparation
•Migrating Group Policies
•Preparation Part 2
•Migrating Groups
•Migrating Users
•Migrating Computers
•Migrating Servers
•Eliminating the Domain
•Potential Problems
Why Migrate?
Active Directory can “easily” handle over a million
objects in a single domain
Child domains are not security boundaries
Just about everything you can do in a domain, you can
do in an OU (CHFA only lost control of the password
policy, which mostly matched the one used in AD-ITS)
Mac OS 10.5 (Leopard) disapproves of child domains
Eliminate excessive servers and their total cost
Remove AD roles from servers performing other roles
Really no reason not to
That part of the presentation your supposed to have, but don’t
really need.
Overview
1. Prepare
2. Notify users
3. Migrate Groups
4. Migrate Users
5. Migrate Computers
6. Migrate Servers
7. Fix Problems
8. Eliminate the Old Domain
Overview
The ADMT tool is quite easy to use, like the Add Printer
Wizard without the drivers and with that whole can-
screw-everything-up part.
Only way to undo an ADMT object migration when
working within a single forest is to use the tool again,
reversing the source and destination domains.
As long as groups are set to universal, half your users and
computers could be in one domain and the other half in
another with virtually no problems.
The ADMT tool has a comprehensive command-line
interface in addition to its GUI interface. I will focus on
the GUI interface.
Overview
CHFA completed the major migration tasks over winter
break
Downtime to the typical CHFA user was about 2 hours for
user migration, 2-4 hours for their computer migration
(all GP software uninstalls and reinstalls), and 3 hours for
server migration.
2 machines (out of 312) failed severely enough to require
reformatting, but both had experienced problems
beforehand.
About 8 machines required manually binding to the AD-
ITS domain.
A 3.2% failure rate on computers?
No users or groups failed to migrate successfully
AKA The most important part of the whole process.
Preparation
•Create your new OU structure in the
AD-ITS Domain (ask ITS-NS for initial
setup)
•Good opportunity to reorganize and
clean up
•Create new universal groups to
represent the membership of various
domain specific groups (like Domain
Admins, or Domain Users). Add the
users to these new groups before
attempting any migration.
Preparation
•Delete unneeded accounts
from the old domain to save
time.
•Edit the “group scope” of all
groups to be universal. This
allows a user or group to be
in either domain without
difficulty.*
*While equally evil to its sibling “Copy Group Members” option, your groups should
already be migrated, right?
Security Translation Wizard
•Very similar to the computer migration wizard (which
I discuss next), except this one doesn’t migrate
anything, but rather fixes security permissions for
objects that have been migrated.
•Longest part of the user migration, as the group and
user moves are very quick, this scans the servers for
references to the old accounts and updates them.
ADModify.net
•Bulk AD object modification tool
•Used to undo the forced password change
•Users get a freebie on the password age and get a fresh
start on their 3 months
•ADModify.net tool keeps an undo file for everything it
does
•Might prove useful for other AD needs
•http://www.codeplex.com/admodify
•MSI package in
\\mercury.chfa.uni.edu\Public\Interdisciplinary\Domain Migration
This is the part that might break things.
Migrating Computers
•Again, similar process to migrating groups and users.
•Migrated computers are disabled in source domain
instead of being removed like users and groups
•Launch the ADMT tool
•Start the Computer Migration Wizard
•Choose the source and destination domains
•Add the computers you wish to migrate to the list or
choose a pre-populated list of computers if you have
created one
•Choose the OU in the target domain where you want
the users to appear
Migrating Computers
•Choose all available translation options
•Choose replace mode
•Choose either 0 or 5 minutes for the computers to wait
before restarting
•Don’t exclude any properties
•Do not migrate an object if there is a conflict
•When prompted, run the pre-check and agent
operation in the ADMT Agent dialog box
•The ADMT Agent fixes references to the source
domain on the computer
•Check the logs for problems
Migrating Computers
•You will have failures
•Machines need to be on
•Some will fail their post-check but will be fine
•Some will need to be bound manually
•There’ll probably be some that will need to be started
over from scratch
•Give the ADMT agent plenty of time to run.
•Probably best to move no more than 20 or so
computers at a time
Its not like they do anything important.
Migrating Servers
•Just like migrating computers, except you’ve got a few
extra things to watch for:
•Service accounts (mentioned earlier)
•Run the service account wizard if needed
•Maybe generic user accounts used that have already
migrated?
•Anything that ties to AD needs to be updated
CHFA Server Migrations
•CHFA Migrated via the ADMT:
•One major file server
•A VMware server
•Several VMware guests, which are licensing servers
•A file/RIS/print server
•An SQL server
•The ADMT agent did take a long time to run on a large
number of files (about a million files on our main file
server)
The fun part.
Eliminating the Domain
•Run DCpromo on each domain controller and follow
the on-screen prompts to remove AD from that server
•Once you only have one DC left, check the wonderful
box for it being the last DC in the domain
•At this point, you’ll need an enterprise admin to come
and enter their credentials to complete the process
•After it completes, anything left in the domain is gone
If you aren’t scared yet…
Potential Problems
•Conflicts, computer name or user name exists in both
domains. Resolve by renaming computers and
determining why duplicate user accounts exist.
•Saved passwords are usually lost.
•Some programs don’t see the account as being the
same (Dreamweaver for example) after its migrated, so
“protected” settings are lost, see above.
•Use of built-in groups for security permissions will
still point to the old domain
•Firewalls need to allow the ADMT agent into the
system
Potential Problems
•Machines left off
•Laptops that are somewhere
•Users will always try to login during the migration
process—even at 7 AM on Christmas Day
•Software packages deployed via GP must
uninstall/install successfully