Building new domain

[Wayne]

Hi,
My client wishes to start over fresh with his AD/domain,
that is - rebuild it from the ground up. He has about 80
users in the main office, and 3 small remote sites. The
remote sites are all on fast links and different subnets,
with cisco routers taking care of Nat, so I don't have to
deal with setting up sites. He wishes to use his existing
domain name, so I do not see how I can build the new AD in
parallel with the old. The new system will have 5 DCs, 2
at main office and 1 at each remote site. Additionally I
have to build a new 2000 exchange server, SQL 7 server and
application server to replace his existing machines.
So...all DCs and application servers will be replaced, but
all workstations will remain. Will I have to remove all
of the workstations from the domain and then rejoin them
to tne new domain? (the domain name will be the same, but
we want a fresh AD) We are going to start fresh for the
mailboxes, that is have the users back up to PSTs, build
new exchang/mail boxes, then set them up in outlook.
Other then involving a bunch of grunt work, what are some
of my options? Scripting? - I have very little experience
here. Any suggestions for planning, etc will be greatly
apprecated.
Thanks - Wayne

 

[Cary Shultz [A.D. MVP]]

Wayne,

What are the reasons that your client wants to rebuild? Maybe this is the
real issue....

One possible method would be the run ldifde on one of your current Domain
Controllers with all of the switches to get the user account objects and the
correct 'fields' and another time for the groups to .ldf files. You could
use ExMerge for the mailboxes ( this creates user1.pst, user2.pst,
user3.pst files ). It is generally suggested to not run ExMerge on the
Exchange Server itself ( due to the high 'resources' used during ExMerge -
but if you are doing this after hours.... ). For the user files and folders
I suspect that a good backup would be in order. Then you could wipe an
load. Once you have the Servers set up ( sorry, can not be of any help with
SQL ) you would simply import the .ldf files ( which would create your user
account objects and your groups - naturally do the users first....and you
could do this all as one file - I just like to separate them where
possible ) and import the .pst files ( from the initial ExMerge process ) to
populate your mailboxes. You could then do a restore from backup ( you
would simply choose To another location... and then specify the location )
for the user's files and folders. This would not really help you, though,
with the permissions that were in-place.

Also, you would have to join each WINNT, WIN2000 and WIN XP Pro system to
the 'new' domain. Which is going to create a little bit of work for you.
You could possibly look at netdom ( a part of the Support Tools ) to help
with this. Additionally, you are going to have a problem with the user
profiles. Well, actually, this is not a problem. Just make sure that no
one stores anything locally ( read: that everything is stored on the File
Server ). You will have to determine if you are going to walk to each
workstation, log on as user1, then log off as user1 and log on as the local
Administrator ( or a member of the Domain Admins ) and - via Windows
Explorer - copy the user profile for user1 from the 'old' domain to the
'new' domain profile. There will invariably be a few little things (
usually shortcuts ) that will not work.

Again, this is one very simplified version of how you could do this.

By indicating that all of the remote sites are connected via fast links are
you saying that you have not set up Sites in the Active Directory Sites and
Services? So, you have only the default 'Default-First-Site-Name' and no
others?

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Should have added that if there are problems with the Active Directory that
you might want to run dcdaig /c /v and netdiag /v as a start. Repadmin
/showreps and repadmin /showconn might be a couple of other things to run.
So would netdom query fsmo. All of these tools are available from the
Support Tools.

HTH,

Cary

 

[Wayner]

This company started with exchange 5.5, migrated to
exchange 2000, and had problems. They then tried to to
start over fresh with exchange 2000, and installed
exchange 2000 enterprise instead, and had problems with
this. Their exchange guru claims the extended schema is
hosed up and a clean rebuild would be the best for them.
I do not know how truthful this is. I have been called in
to do the server work, but I have not undertaken a job
this size yet. Thanks for all of the info.
Wayne

 

[Guest]

Forgot to reply - yes, there are not sites set up - only
Default-First-Site-Name. Additionally, (this will make
things a little easier) I will be starting with new
servers for all of the DC's, exchange, sql, and file
servers, which I plan to load 2003 on. I can get these
built in the shop, build the AD/Domain, then swap out all
of the machines on site in one shot. I figure for most of
the data (after a good backup anyway), I can take the
application servers out of the "old" domain, join the new
domain, then just transfer data to the new repalcement
server. I will not do this for the exchange server
though. SQL, I can just do a backup - transfer - restore.
Again, Thanks alot for all of the help.
- Wayne

 

[Cary Shultz [A.D. MVP]]

And I believe that we have "been there, done that" already. If I am not
mistaken, you were going to find out from the Exchange Guru what
justification he is giving to back up the statement that the schema is
hosed. Has he answered your question already?

If this is indeed the case ( the schema is hosed ) then I might suggest
biting the bullet and calling PSS and paying the 245.00. They can
'teleport' in and take a good hard look and possibly resolve things. Or
not!

HTH,

Cary


PS Not sure how installing Exchange Enterprise vs. Exchange Standard would
have lead to any problems.

 

[Wayne]

Hi,
I have not heard back from the exchange guru yet, and
probably won't. The company has pretty much decided to
rebuild, and I have been "instructed" to go along. I
would rather try and fix the problem myself, but that is a
moot point now. They also want me to do the exchange peice
for them, I think they lost a little confidence in the
guru dude. So...on with the battle.
Thanks - Wayne

 

[Cary Shultz [A.D. MVP]]

Wayne,

No problems. If that is the way that it is then that is the way it is!

I would take a long hard look at using ldifde for the creation of the user
account objects. If you need help with the syntax I can help. There are
some switches ( like the -m and the -l that you definitely want to use for
the export! ). I would also take a look at ExMerge for the mailboxes. I
hope that no one has a mailbox larger than 2GB! Although, I can tell you
from experience that this should not be too much of a problem. In the past
I have done this with .pst files that were larger than the magical 2GB mark
( everything that you will read will tell you that .pst files 'break' at or
above 2GB ).

You might want to take this opportunity to fix the shared resources ( read:
shared folders ). Most people leave them at Everyone = Full Control. There
are several Command Line utilities that can help you with this - or you can
do it the 'old fashioned way'.

I also have some ideas on what you can implement that will make your 'daily
grind' a bit less. However, I will not force them on you. If you are
interested then ask. If not, that is cool as well.

What is the connection speed of the links from the three remote offices to
the HQ? The reason that I ask is that you might want to consider setting up
the Sites in the Active Directory Sites and Services. However, you need to
be aware of what this means. If you need help with that I would gladly
help.

For the front end stuff ( read: the client workstations ) you are going to
need some 'warm bodies'. If you have 80 in the HQ plus the three remote
offices it is going to take some time. Please do not think that you can do
it in four hours all by your self. Not gonna happen.

HTH,

Cary

 

[Wayne]

Hi Cary,
I will begin working with the ldifde tool. As far as the
sites, I am planning 2 DCs in the main office, and 1 DC in
each site. They are all connected via T1 lines. They
have a good WAN tech that set up their cisco routers, so I
am thinking that if this works fine now, why monkey with
it. Unless there are some compelling reasons, but I can
always come back to this later. What are your thoughts
here? What are your ideas for reducing the daily grind?
One thing I would like to set up is something to monitor
event logs and email them out, but I have not implemented
anything like this yet, and am not sure what to use.
Thanks for all your help.
- Wayne
PS, I am planning to get the main office switched over on
a Saturday/Sunday, maybe 16 hours per day - I think this
is realistic since I will be starting with all new
hardware on the server side, and can build these ahead of
time. I also have 2 guys to help with the grunt work. Do
you think this sounds realistic?

 

[Cary Shultz [A.D. MVP]]

Howdy, Wayne!

Comments in-line.....

Hi Cary,
I will begin working with the ldifde tool.

okay. To give you the big picture: what you are trying to accomplish here
is to get an .ldf file that contains all of your user account objects with
all of the attributes/values that you want/need. You would do this with the
ldifde utility on an existing Domain Controller. You will then need to put
this .ldf file on a floppy disk. I would then do the same for the groups.
Mind you, you can do this all with one .ldf file but I like to keep things
separated.

You would then create your Domain Controller ( wipe and load or however you
are going to do this ) and then import the .ldf files. You would need to
make sure that the OUs ( assuming that you have created some OUs and move
the user account objects into the created OUs ) exist before you do the
import - or it will fail! Please note that you will not easily be able to
include the passwords in this file. So, if you make use of Password
Complexity you will need to remember to not enable that until after you have
changed the passwords to meet the complexity requirements! You might want
to take a look at addusers.exe if this is going to present any problems.

As far as the
sites, I am planning 2 DCs in the main office, and 1 DC in
each site. They are all connected via T1 lines. They
have a good WAN tech that set up their cisco routers, so I
am thinking that if this works fine now, why monkey with
it. Unless there are some compelling reasons, but I can
always come back to this later. What are your thoughts
here?

T1 is not really that fast ( a 'LAN' is usually considered to be 10/100 so
the 1.544 is not quite there ) but is possibly enough. The advantage to
making use of Sites is that you control Active Directory Replication and
assist in user logons. The probability that the users in the remote Sites
will authenticate against a DC that is across a WAN link is greater if you
do not make use of Sites, generally speaking. But, if you have three users
in one remote Site and five in another remote Site then this should not
create any problems - generally.

I guess that we need to remember to keep things simple and to follow the 'If
it ain't broke, don't fix it!' mantra ( which I do not always like! ).

Is this a private link ( the T1's ) or are you going over the Internet? If
you have private links then do not worry about the next statement. If the
links are indeed going over the Internet then I would hope that you have a
VPN in place ( a Firewall-to-Firewall, or Site-to Site VPN ). This will
reduce the bandwidth that is available over the WAN links but is very
important to have.

What are your ideas for reducing the daily grind?
One thing I would like to set up is something to monitor
event logs and email them out, but I have not implemented
anything like this yet, and am not sure what to use.

There are a lot of things that I like to do. I will give you that list
later. Mainly things that are most useful if implemented from the get-go,
such as installing the Support Tools on all of the Servers, installing the
various utilities ( such as oldcmp ), enabling logging ( such as audit
account management, etc. ).

Thanks for all your help.
- Wayne
PS, I am planning to get the main office switched over on
a Saturday/Sunday, maybe 16 hours per day - I think this
is realistic since I will be starting with all new
hardware on the server side, and can build these ahead of
time. I also have 2 guys to help with the grunt work. Do
you think this sounds realistic?

It might be tight! If you had a third guy to help with the grunt work then
there would be less doubt in my mind. There will always be something that
will hang you up and take away time....If you build everything ahead - which
is a great idea so that all you need to do is the workstation stuff - then
you might just finish.