Domain migration

M

Mykhaylo Khodorev

Hi!
I have a Win2000 domain. Now I want to create an empty root domain in
order to restrict access to groups Enterprise Admins and Shchema Admins and
move into new new domain's forest an existing domain. So I see two ways:
1. Create new domain in new forest and migrate there an existing domain.
2. Create new domain in existing forest and delegate to new domain
rights of root domain.
Which way is possible and how to do this? If both ways are possible
which one would be better (easier, more correct, etc)?
Thanks in advance.
Mykhaylo
 
S

Simon Geary

You cannot change which domain in the forest is the forest root domain so
option 2 is ruled out right away.
You cannot migrate an entire domain to a new forest so option 1 is also
ruled out.

However, you could create a brand new forest and brand new domains and then
use ADMTv2 to migrate all users and computers across. This will work in
theory but this is a massive undertaking and you have to weigh the benefits
with the work involved. These kind of decisions are best taken at the start,
before you build a forest. I would guess that in most cases you are better
off just sticking with what you've got.
 
D

David Brandt [MSFT]

Somewhat confused by what you're wanting to do here regarding those groups,
as schema admins will be able to do whatever they want within a forest,
regardless of domain, one way or another, so creating a new domain, tree or
child, within that forest will not cut them off if they really want to do
something there. Likewise, if you create a new forest/domain the schema
admins there will have the same control there, and any "restriction" you
make in the new forest/domain you should also be able to do in your existing
forest/domain.
Not sure what you mean, or what you're trying to do, when you say "restrict
access to groups Enterprise Admins"
Are you just wanting to restrict membership in those groups?
--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
M

Mykhaylo Khodorev

Right. Any domain admin can change membership of those groups. That's
why I want to create an empty root domain. Is it possible or I have to
create new domain and migrate users and computer from old one?
Thank you.
Mykhaylo
 
D

David Brandt [MSFT]

If I understand this correctly, you want to have a domain that controls the
enterprise admin accounts which other domain admins are not able to access??

If so and you wanted to start "clean", then you would need to create a
"root" domain in a new forest, and then create child domain/s under that in
which you would migrate everybody. In doing that, you would be the
enterprise admin/domain admin, etc and the domain admins of the child would
not have access to the parent domain admin group.
However, you could also in your existing setup (assuming currently one
domain in the forest) create either a child domain to the existing domain,
or a new domain as a separate tree in the forest, and migrate everybody to
that domain. Either would separate the two domains and thus domain admins
groups, so only one would have access to the enterprise group, but would
require some pruning of accounts etc to get it restricted.

Either way, it will be a lot of work. I don't know anything about your
company, but normally folks are not made domain admins unless they can be
trusted to do the job as they're instructed.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
M

Mykhaylo Khodorev

Thank you.

David Brandt said:
If I understand this correctly, you want to have a domain that controls the
enterprise admin accounts which other domain admins are not able to access??

If so and you wanted to start "clean", then you would need to create a
"root" domain in a new forest, and then create child domain/s under that in
which you would migrate everybody. In doing that, you would be the
enterprise admin/domain admin, etc and the domain admins of the child would
not have access to the parent domain admin group.
However, you could also in your existing setup (assuming currently one
domain in the forest) create either a child domain to the existing domain,
or a new domain as a separate tree in the forest, and migrate everybody to
that domain. Either would separate the two domains and thus domain admins
groups, so only one would have access to the enterprise group, but would
require some pruning of accounts etc to get it restricted.

Either way, it will be a lot of work. I don't know anything about your
company, but normally folks are not made domain admins unless they can be
trusted to do the job as they're instructed.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Migration Domain 3
Intraforest users & computers etc. 8
Multi forest and Citrix farm 1
Add a new Windows 2003 domain into a single-domain Windows 2000 fo 5
Remove the Root Domain in the Forest 5
enterprise admins in single domain question 6
AD design question....again 4
2 Forest in one network. Not able to connect domain 9

Top