moving users and computers from one AD server to another

[Guest]

Using Windows 2000 Server (upgrading is not an option)

I am in a situation where I need to move as much of my configuration
(computers, users) from one AD server to another; however, I will not be able
to have them both up on the network at the same time. What is the best way
to go about this?

I've seen LDIFDE mentioned, but I'm concerned that using that is above my
knowledge level. I'm a software engineer by trade and a unix administrator
by necessity with a smattering of Windows thrown in (I know just enough about
AD to get by with what I'm doing and unfortunately I'm the most knowledgeable
person we have available for this project).

Thanks in advance.

 

[Florian Frommherz]

Howdie!

I am in a situation where I need to move as much of my configuration
(computers, users) from one AD server to another; however, I will not be able
to have them both up on the network at the same time. What is the best way
to go about this?
I've seen LDIFDE mentioned, but I'm concerned that using that is above my
knowledge level. I'm a software engineer by trade and a unix administrator
by necessity with a smattering of Windows thrown in (I know just enough about
AD to get by with what I'm doing and unfortunately I'm the most knowledgeable
person we have available for this project).

ADMT is what you are looking for:
http://www.microsoft.com/downloads/...b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

See this KB article:
http://support.microsoft.com/kb/326480

But what you are trying to achieve is not really an easy one -
especially if you have no experiences in administering Active Directory.
You maybe want to setup a testing domain with dummy users and
computers and test it or find a consultant that will do the migration
for you.

cheers,

Florian

 

[Guest]

Unfortunately I am moving from W2k server to W2K server.

This post relates to my other post "Domain Administrator restricted on new
secondary DC". Since I haven't gotten any answers to this posting in any
forum I've posted in, I'm trying to figure out how to get my users and
computers off of the system before I demote the PDC and remove the domain. I
will then have to add a new AD server and recreate the identical domain (this
is where I hoped to import the users and computers exported from my old
domain server). Unfortunately, I will be using Windows 2000 server on the
new domain (AD) server since I cannot upgrade the system yet.

ADMT looks promising, but I need to get more pertinent directions before
attempting this. A consultant is not an option. I'm what we've got.

Thanks.

 

[Jorge de Almeida Pinto [MVP - DS]]

I am in a situation where I need to move as much of my configuration

(computers, users) from one AD server to another; however, I will not be
able
to have them both up on the network at the same time.

WHY?

what are the requirements?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Guest]

As I said in my posted response to Florian:
Unfortunately I am moving from W2k server to W2K server.

This post relates to my other post "Domain Administrator restricted on new
secondary DC". Since I haven't gotten any answers to this posting in any
forum I've posted in, I'm trying to figure out how to get my users and
computers off of the system before I demote the PDC and remove the domain. I
will then have to add a new AD server and recreate the identical domain (this
is where I hoped to import the users and computers exported from my old
domain server). Unfortunately, I will be using Windows 2000 server on the
new domain (AD) server since I cannot upgrade the system yet.

ADMT looks promising, but I need to get more pertinent directions before
attempting this. A consultant is not an option. I'm what we've got.

My other posting in this forum was:
1. running W2k server (SP4 with Rollup 1) on AD1 as PDC
2. added AD2 as SDC
3. promoted AD2 to PDC
4. migrated roles to AD2
5. demoted AD1 to domain member

System working fine, but several months later needed to replace AD2 with new
server (need to keep name and IP)
6. added AD1 as SDC
7. promoted AD1 to PDC
8. migrated roles to AD1
9. demoted AD2 to domain member
10. removed AD2 from domain

So far so good. AD1 working as DC.

11. added AD2-new as domain member
12. when logged in to AD2-new after reboot, Run command gone from Start
menu and Command Prompt access is denied; Administrative Tools missing from
menus; tried running dcpromo (onlyl worked by double click on executable) and
was able to add AD2-new as SDC, but could not transfer Roles to SDC to make
it PDC
13. All user accounts now being asked to change their passwords and if they
do, are locked out of system
14. AD1 is not restricted for the Domain Administrator in any way

Managed to get AD1 functioning as PDC and DNS server and other functions it
has, but need to find out what is causing decreased functioning of Domain
Administrator. There is a Group Policy that is set on an OU of RWusers (not
the User OU), but the Domain Administrator is not a member of that OU, it is
in the Users OU. That GP removes Run from the Start menu, does not allow the
user to save to the hard drive of the workstation and does not allow use of
USB ports, CD/DVD drive or floppy drive. I'm thinking that the GP was
initially set as part of the Default Domain Policy and that no one is owning
up to it. I've looked and cannot find where it might be set, but I may no
longer have rights to see it as Domain Administrator.

I need to try to clean this up and keep my AD setup and users. Suggestions?

My only other option that I can see is to totally remove the domain and
introduce a new AD2-new with a clean install of AD and the domain set up
there and then propogated to the other machines.

Other post continued:
I neglected to mention that I followed KB226243 (How to reset security
settings in the default Domain GPO in Windows 2000) and that did not fix the
problem -- I believe that is due to the restricted nature of the domain
administrator user in this case (I could be wrong....).

-----------
Since I need to keep the same domain name, host name and IP address (system
configuration issue, not an option to change it) I cannot have both AD
servers on the system at the same time.

Thanks.

 

[Herb Martin]

As I said in my posted response to Florian:
Unfortunately I am moving from W2k server to W2K server.

Is that TO "Win2003" server?

This post relates to my other post "Domain Administrator restricted on new
secondary DC". Since I haven't gotten any answers to this posting in any
forum I've posted in,

That's unusual, especially if you problem was clearly
summarized in the subject, the correct group(s) -- with
reasonable crossposting were used -- and you stated
your goals or question clearly, then proceeded with
any needed detail.

...I'm trying to figure out how to get my users and
computers off of the system before I demote the PDC and remove the domain.
I
will then have to add a new AD server and recreate the identical domain
(this
is where I hoped to import the users and computers exported from my old
domain server). Unfortunately, I will be using Windows 2000 server on
the
new domain (AD) server since I cannot upgrade the system yet.

That is almost never the way to fix a problem.

Just add another DC (DCPromo), move special roles
(5 Single masters), the GC, DNS and WINS Server,
plus anything else running on the old DC which is important.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]