Moving DC to New Forest - Follow-on

[Diane]

A company is divesting from its parent and wants to
establish it's own network/domain structure. It has one
win2k server that is one of 5 DCs on the parent network.
The AD contains entries for the entire parent company and
logon and security practices that are to change. As
such, we want to start with a clean AD and not migrate
entries from the parent AD. Given that, we are trying to
figure out the best way to move the win2k server to the
new forest/domain. Responses to an earlier post
indicated it would have to be rebuilt, however, we are
really trying to avoid a rebuild since it would be full
of issues that we would like to address later versus now.
So, we are wondering if we can demote the server, then
change the domain, promote to a DC, then reinstall AD to
replicate to the new domain structure. If yes, what
impact would this have on the system settings,
permissions, etc.? Also, how do we construct a fall back
in case it blows up in the middle? Can we simply reverse
the process?

I have looked through various tools like ADMT and
cloneprincipal but they seem to address moving items from
AD to a new forest/domain - not how to get a server to
the new domain. Sorry for the really long post - wanted
to give some decent background.

Thank you for all help and insight.

 

[Cary Shultz [MVP]]

in-line...and please correct me if I am incorrect in my
approach here. I am under the impression that you want
to dcpromo an existing DC from the 'parent company' while
keeping all of the user accounts in tact.

-----Original Message-----
A company is divesting from its parent and wants to
establish it's own network/domain structure. It has one
win2k server that is one of 5 DCs on the parent network.

By 'parent company' I presume that you mean that this
company is currently simply a division or what not and is
NOT a Child Domain. I am not sure that I understand what
you mean by 'it has one WIN2K server that is one of the
five DCs in the parent network'. Do you mean that it
uses this one DC as the main file server for the users in
this division or what not? Please bear in mind that with
WIN2000 all DCs are on equal footing and that all DCs
replicate their AD accordingly with each other. Remember
that there are three Naming Contexts, or partitions, in
AD and how the replication takes place depends on what NC
we are talking about ( the Domain NC replicates only with
the DCs in that specific Domain while all DCs in the
entire Forest replicate the Configuration and Schema
NCs ).

The AD contains entries for the entire parent company and
logon and security practices that are to change. As
such, we want to start with a clean AD and not migrate
entries from the parent AD. Given that, we are trying to
figure out the best way to move the win2k server to the
new forest/domain. Responses to an earlier post
indicated it would have to be rebuilt, however, we are
really trying to avoid a rebuild since it would be full
of issues that we would like to address later versus now.

I am not sure that I see any other way! If the DC in
question in currently a DC ( one of five ) in an existing
domain, how you do you plan to remove it from that
domain?

So, we are wondering if we can demote the server, then
change the domain, promote to a DC, then reinstall AD to
replicate to the new domain structure.

Not sure that I understand this. When you promote a
Member Server to DC, you just installed Active
Directory. You have to chose if this is the first Domain
Controller in a new Domain Tree / Forest or an additional
DC in an existing Domain. What do you mean by 'then
reinstall AD to replicate to the new domain structure'?
What Structure? If this is the first DC in the new
Forest, there is no other DC ( aka: structure ) with
which to replicate!

If yes, what

impact would this have on the system settings,
permissions, etc.? Also, how do we construct a fall back
in case it blows up in the middle? Can we simply reverse
the process?

Sorry, think that the answer would be 'no'.

I have looked through various tools like ADMT and
cloneprincipal but they seem to address moving items from
AD to a new forest/domain - not how to get a server to
the new domain. Sorry for the really long post - wanted
to give some decent background.

Was going to get to this! Glad that you mentioned them.
They could be useful. You could use ADMT v2 to help you
bring over the user accounts. Can not speak about
ClonePrincipal ( but have heard lots of good stuff about
it ). I just hope that this divestiture is going to
be 'friendly'. You might have a problem using either if
it is 'unfriendly'. I might suggest that you take a look
at some ADMT v2 information and look into the Interforest
Migration.

Thank you for all help and insight.
.

HTH,

Cary

 

[Diane]

Cary,
I can see I've got a lot to learn in this space. I need
to find out exactly how the "child" company is set up -
it is hard to get concrete information. My understanding
is they are a division not a child domain. When I look
at the AD I see the entire parent company. The "child's"
users and groups are a part of this structure. They log
on to the parent domain (though the setup for some
systems indicates they part of a workgroup - are you
familiar with how workgroups are handled within a domain
structure? I did some research and could not find
information on how workgroups fit into an AD
structure??). To clarify our current direction and
supply some key missing information:

- Yes, the one DC is a main, overloaded file server for
the "child".
- We are installing new systems including a firewall and
exchange server (mail is currently provided by the
parent) and establishing a new root/DC for the "child"
company under a new domain name. This would provide the
new AD structure with which to replicate.
- We don't want to move accounts from the parent AD but
manually recreate them on a new AD structure. The company
is small (about 40 users) so it's not an onerous task.
The parent has many policies in place the "child" wants
to remove so we felt recreating the AD would be a more
straightforward way to go. Given that, we are concerned
about how to preserve the desktop environments for the
clients in the new domain, a mix of win 95/98, 2000 Pro
and XP. I believe Moveuser or ADMT will allow us to move
only the profile....is this correct? Our goal would be
to copy (i.e. have the profile in the old and new
domains) the profiles to the new domain as one of the
preparatory steps. Is this necessary for the 95/98
systems? The 2000 and XP systems would create a new
account profile in the new domain, so we know we need to
deal with those. We realize we will have a good amount
of setup to do after the fact.
- Given the above clarifications (I hope it's more
clear!), re: the DC is there any way to avoid a system
rebuild? Our preliminary thinking was to establish the
new DC/root, copy over user profiles from old DC to new
DC, demote the old DC making it a member server in the
old forest/domain, then changing the domain name (control
panel, network id) establishing it as a member server in
the new domain. A next step would be to promote it to a
DC in the new domain and replicate to the new AD. Is
this a viable way to go or must we rebuild? Would
greatly appreciate your insight and comments, warnings
of potential gotchas and requirements for doing things in
a specific sequence.

I realize this is a lot to ask. This project is taking
us into some new territory where your guidance is much
appreciated. Any links/resources you could suggest are
welcome.

Diane

 

[Cary Shultz [MVP]]

-----Original Message-----
Cary,
I can see I've got a lot to learn in this space. I need
to find out exactly how the "child" company is set up -
it is hard to get concrete information. My understanding
is they are a division not a child domain. When I look
at the AD I see the entire parent company. The "child's"
users and groups are a part of this structure. They log
on to the parent domain (though the setup for some
systems indicates they part of a workgroup - are you
familiar with how workgroups are handled within a domain
structure? I did some research and could not find
information on how workgroups fit into an AD
structure??). To clarify our current direction and
supply some key missing information:

- Yes, the one DC is a main, overloaded file server for
the "child".
- We are installing new systems including a firewall and
exchange server (mail is currently provided by the
parent) and establishing a new root/DC for the "child"
company under a new domain name. This would provide the
new AD structure with which to replicate.
- We don't want to move accounts from the parent AD but
manually recreate them on a new AD structure. The company
is small (about 40 users) so it's not an onerous task.
The parent has many policies in place the "child" wants
to remove so we felt recreating the AD would be a more
straightforward way to go. Given that, we are concerned
about how to preserve the desktop environments for the
clients in the new domain, a mix of win 95/98, 2000 Pro
and XP. I believe Moveuser or ADMT will allow us to move
only the profile....is this correct? Our goal would be
to copy (i.e. have the profile in the old and new
domains) the profiles to the new domain as one of the
preparatory steps. Is this necessary for the 95/98
systems? The 2000 and XP systems would create a new
account profile in the new domain, so we know we need to
deal with those. We realize we will have a good amount
of setup to do after the fact.
- Given the above clarifications (I hope it's more
clear!), re: the DC is there any way to avoid a system
rebuild? Our preliminary thinking was to establish the
new DC/root, copy over user profiles from old DC to new
DC, demote the old DC making it a member server in the
old forest/domain, then changing the domain name (control
panel, network id) establishing it as a member server in
the new domain. A next step would be to promote it to a
DC in the new domain and replicate to the new AD. Is
this a viable way to go or must we rebuild? Would
greatly appreciate your insight and comments, warnings
of potential gotchas and requirements for doing things in
a specific sequence.

I realize this is a lot to ask. This project is taking
us into some new territory where your guidance is much
appreciated. Any links/resources you could suggest are
welcome.

Diane

.

Diane,

Read your post and will return. I am in the middle of
removing Novell from an environment and 'moving' all that
stuff to a nice new WIN2000 Server and am doing some
extensive testing on the production machines ( which I do
not really like to do, but... I have already done as much
testing in the lab as I can do! ).

Real quickly, ADMT moves over ( either moves or copies,
depends on the operation ) the user account object.

DCPROMO that one DC, join it to the new domain as a member
server, then DCPROMO it so that it is a DC in the "new"
domain. This is the way to do it. Mind you, whatever AD
information that it held from the "parent" domain will be
lost when you run the first DCPROMO. Also, make sure that
you do not select the "This is the last domain controller
in the domain" option upon the first DCPROMO! That would
be a horrible mistake!!!!!

The WORKGROUP situation is perfect! With WIN98 it does
not really matter. For the WIN2000/WINXP machines you
should not have any problems with the profile. I
typically go to the User Profiles tab, select
the "workgroup" profile, click on 'Copy To...' and then
select the "network" profile. Naturally, this means that
the user has logged onto the domain already. Remember,
the user's profile will be created from the "default
profile" initially ( well, it does look in one or two
places first but I do not think that this applies in your
environment ).

Please do install the Support Tools on all of your
Servers. The Support Tools are located in two places: on
the WIN2000 Server CD in the Support | Tools folder or on
the WIN2000 Service Pack CD in the Support | Tools
folder. Opt for the Service Pack CD if possible. And
since this is going to be a new environment you really
want to look at WIN2000 SP4!

I will get more into this with you when I am finished here.

Cary

 

[Diane]

Cary,

You're a jewel! Good luck with your Novell to Win2k
testing. Have already got the win2k tools installed and
we're on SP4 on the new systems. The current DC I'll
have to check. Don't have a tools CD, but that's easy to
get. Agree with the desire to not test in production.
The environment we've been discussing is so tight, there
is little to no opportunity to test things out - figuring
out how to recover from a misstep will be a challege.
I'll look forward to your further comments when you've
got a break.

Also, would you be willing to send your email address for
some future questions? Certainly want to respect your
time and privacy, but would appreciate the opportunity to
send a query or two if we get stuck down the road.
Having asked that, I will certainly understand also if
you prefer not to and can work with posting in this forum.

Thank you very much for sticking with me through these
long postings.

Diane

 

[Cary Shultz [MVP]]

-----Original Message-----
Cary,

You're a jewel! Good luck with your Novell to Win2k
testing. Have already got the win2k tools installed and
we're on SP4 on the new systems. The current DC I'll
have to check. Don't have a tools CD, but that's easy to
get. Agree with the desire to not test in production.
The environment we've been discussing is so tight, there
is little to no opportunity to test things out - figuring
out how to recover from a misstep will be a challege.
I'll look forward to your further comments when you've
got a break.

Also, would you be willing to send your email address for
some future questions? Certainly want to respect your
time and privacy, but would appreciate the opportunity to
send a query or two if we get stuck down the road.
Having asked that, I will certainly understand also if
you prefer not to and can work with posting in this forum.

Thank you very much for sticking with me through these
long postings.

Diane
.

Diane,

WYSIWYG! My e-mail address listed is a valid e-mail
address! Do not mind at all.

Cary

 

[Diane]

Cary,

Thanks Cary. Hope your testing went well. I had the
anonymous address from your first post in my brain and
missed your hotmail address -. I've got an all day
seminar today. Will then take some time to think through
the process. Is there anything else that comes to mind
that we should consider off the top?

Diane

 

[Cary Shultz [MVP]]

-----Original Message-----
Cary,

Thanks Cary. Hope your testing went well. I had the
anonymous address from your first post in my brain and
missed your hotmail address -. I've got an all day
seminar today. Will then take some time to think through
the process. Is there anything else that comes to mind
that we should consider off the top?

Diane


.

Opps! My Bad! I guess that every now and then I forget
to use my real e-mail address! Not intentional by any
means.

We *should* be mostly done by Friday so I will take a look
on the Weekend! That is, if my wife lets me near the
computer! ;-)

Cary

 

[Diane]

Have a great weekend - I understand those desires for
computer avoidance -. Hope your testing finishes up as
planned. Will check back at start of the week, or
perhaps you can just send me an email when you have an
opportunity.

Diane