New Active Directory Install

[Michael Smith]

I currently have responsibility for a 60 workstation network with 2
Windows 2000 domain controllers. The current active directory
installation is totally screwed up. What I want is a totally new active
directory install. Unfortunately, I need the new domain to be named the
same as the old domain. I'd also like to KEEP my existing user's
settings (passwords can change).

What I could do is take my BDC, install Windows 2003 Server on it (with
a new domain) and then migrate all clients AND user profiles to the new
domain. Then go through the Windows 2003 domain renaming process:
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.
This will take too long for me to complete by myself in the time frame I
have alotted, so I am looking for a better way.

Here's what I think might work and plan to test:
1. Create new Win2003 domain controller with same domain name (not
attached to network).
2. Copy each user profile to a local user account (using user profile
manager under 'my computer').
3. Take current Win2000 PDC and BDC off of the network.
4. Join the new domain with each workstation
5. Copy the local user profile created in step 2 to the user's domain
profile under the new domain.
6. Re-install the original PDC and BDC and join the new domain.
7. dcpromo the PDC and BDC back to positions of authority and demote the
DC created in step 1.

Will this work? Is there a better way to do this, maybe using the
Active Directory Migration tool
(http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp),
which I have never used?

 

[Richard Moreno]

Hi Michael-

Boy! You have a difficult goal to achieve here!

Unfortunately, I cannot speak from expierence in this particular scenario
but I thought I would offer my opinion. I believe that your 1st suggestion
(the one you don't prefer to do) is your best bet. Create a new AD Forest
built on the Windows 2003 Server OS, establish the necessary trusts between
the new and old domains and then using the ADMT 2.0 migrate your users,
groups, and computers to the new forest, break your trusts, turn off the old
domain completely, and then proceed with the lengthy process of the forest
rename.

Whichever way you guy, I would certainly be interested in hearing your
results!

 

[Jack]

If you have not upgraded to native mode there is actually
a rather easy way to accomplish this.

Bring up an NT4 BDC. Get all accounts sync'd up. Then
simply power down your 2k DCs and format them. Make that
BDC a PDC and you are back to an NT4 domain. Go through
the NT4->W2k or W2k3 in place upgrade plan and you now
have a fresh AD to work with. There are some other steps
you will need to take (such as cleaning up the dns). If
you aren't native mode, e-mail me at (e-mail address removed)
(real address) and I can guide you through the rest. The
only thing you will lose is group policies and any
delegation of OUs and whatnot. You will also lose some
user settings (if used) like phone number and address.

If you are already native mode...I would highly recommend
just fixing your current AD. Migrating all accounts to a
new forest and then renaming the domain is extremely
hokey and will most likley leave some evil side effects
in its wake. If you'd like, let me know what issues you
are having, almost any AD is fixable.

Your other way makes no allowence for keeping users. You
will lose all users and groups and would need to recreate
them (which means any file or printer security you have
will be lost).

The bottom line is, your best bet would be to fix
whatever is boned up. Feel free to contact me.

-Jack