Migrating User Profiles After Moving To New Domain

[Mike Poe]

Hello,

I am planning a project where I will need to migrate aprox. 500 users &
computers from one active directory domain to another. A trust exists
between the domains, but they are not part of the same forest.

I'm comfortable using ADMT to move the user accounts. My question is
about the computer accounts & user profiles on the workstations.

If I use ADMT to move computer accounts from Domain A to Domain B, will
I still need to visit each workstation, remove it from the old domain &
join it to the new one - or is that done simply by moving the computer
account with ADMT? Also what about user profiles on the workstations?
When the user logs on to the new domain for the first time, will their
old profile still work (desktop settings / outlook settings / etc)?...
or will I need to copy the existing profile to the user after they've
logged on & set permissions / etc?

I had to do this very thing a long time ago on a much smaller scale -
maybe 10 / 15 users & computers - and as best I can remember I had to
visit each workstation to take care of the user profiles & domain
membership. I guess I'm looking for a way to automate this whole
process to avoid having to visit 500 some machines due to time
constraints.

Thanks for any suggestions.

Mike

 

[Jorge de Almeida Pinto [MVP]]

ADMT can do it for you:
* move to another domain
* translate security on profiles and other data

have you tried ADMTv3?

Migration high level steps COULD BE:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
GPOs, delegations, DNS, WINS, DHCP, etc.)
* Setup name resolution (WINS or DNS) between source and target
domain/forest
* Setup trusts (if an external trust is configured and sidhistory is used,
disable sid filtering)
* Install and configure migration tooling
* Migrate groups, user accounts with passwords and group memberships (with
sidhistory)
* Migrate clients from the source domain to the target domain, translate
security on the client, and translate profiles (at this moment users start
logging on with their new AD account on the migrated clients that have been
migrated previously to the w2k3 domain)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data/resources from source security
principals to target security principals (replace the security descriptors
from the old domain with the security descriptors from the new domain )
* Cleanup temporary configurations
* Cleanup sidhistory (recommended!). sIDHistory is used to access resources
while those resources still have security descriptors from the old domain.
As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed
sIDHistory can be cleaned. Sidhistory should only be used temporary for
migration purposes!
* Remove trusts
* Decommission old domain(s)


For more info on migrating to an AD domain also see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx

ADMTv3 has been out for a while, so be sure to use that version.
(http://www.microsoft.com/downloads/...7B-533A-466D-A8E8-AFF85AD3D212&displaylang=en)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[aaronw]

might be worth checking.
If you export your AD to a CSV file, see how many entries there are. I
did that and i had 27,000 so there was not way i was migrating 27,000
entries, or then the new domain would be just as slow and crap as the
old one, so i just copied the users and started a fresh, may take bit
longer, bit it will do a better job.

 

[Marc Valadas]

Hi,

Maybe this can also help.
I did several inter-forest migration tests for my company, between two
AD 2003 domains.
I used ADMT v3.0 and it worked very well in "moving" local user
profiles.
But it didn't work the first time I used it, I had to troubleshoot a
little and understand why.
So ADMT can't really move a user's local domain profile (Documents and
Settings\%username% on XP) like you would move a file or folder in
Windows Explorer.
But what it can do is "re-use" this local profile for the new migrated
user account (all settings are retained when the user logs on with his
new account to the target domain : wallpaper, IE favorites, shortcuts,
etc...) and this is the goal.
What you need to do is :
1. Migrate the user account using the ADMT account migration wizard
2. Migrate the computer account using the ADMT computer account
migration wizard (choose to migrate all objects, files and folders,
registry, local groups and of course user profile, etc... and choose to
replace security).
There are just two things to be aware of (at least in my case, this is
why it didn't work the first time) :
- do not log on to the workstation with the new migrated user account
(target domain) BEFORE you migrate the computer account
- do not migrate the computer account while the old user account
(source domain) is logged on to the workstation
In the first case, ADMT will use the new profile in documents and
settings and you won't retain the user settings (you'll get a new
pristine user profile...).
In the second case, ADMT won't be able to use the old user account
because it's locked.
Hope this helps.

Regards,

Marc Valadas
MCSE, MCDBA, CCNA



(e-mail address removed) a écrit :