Active Directory Migration: Take One ..

To the hospital, that is.
Work like this is never fun to undertake. Especially when you are unprepared for such a feat. And that was me, on August 12. You heard right, I've got no formal training in Active Directory. Or Windows NT. Or unix, for that matter. I've turned down training for Server 2003 because the courses that are offered I already know how to do. I know DNS. I know DHCP. OK, well, I admit, I don't know WINS. But I do know permissions. And File/Printer sharing. I also have experience with Windows Registry, Group Policy Editor, and MMC. I know what know from working the front lines, along with perhaps a certain aptitude and patience for dealing with situations like this.
Anyway, I've been itching to move along our library's upgrade to Windows Server 2003. Dealing with the SCSI failures on the file server made me want to quickly remove the interim IDE hard drive. The adaptech hostraid drivers installed themselves simply enough. Had to disable the system drives on the old controller first (Windows has this *thing* about copying files to the first hard drive on the first controller it finds, in this case Windows was finding the failing hard drives first). After that, Windows Server 2003 is reasonably straight forward. Even after the reboot and the configuration of Active Directory through the "Configure Your Server" and "Manage Your Server" wizard. I retyped all the groups that existed on the previous domain, retyped all the users. Recreated the login scripts - even found the right place to store them.
The only problem I had with DNS was for reverse DNS lookups. Their Reverse Lookup Zone Wizard does the reverse for you: the zone text for you '192.168.0.x' becomes '', which has to be typed in reverse in ISC's Bind.
Once everything is said and done, I (with the help of my boss) ran around to all the client machines and either installed Active Directory Client for Windows 9x or joined to the new domain name. I thought, "Horay, we're done".
There was hell to pay the next day.
Questions like "Why can't I print?", "Where is my email?" rang from around the library as I tried to get a grip on understanding what went wrong. I was thinking like "Since all user profiles are local to that machine, why aren't the XP machines using the profiles already on the client?".
The answer, in my humble opinion (now if this all, half, or none of the correct answer please feel free to flame this journal entry by using the comment section below), Microsoft's Domain security structure greatest strength in fexibility is also it's greatest weakness when it comes changing the network/domain structure of the client computers. Those profiles are so tied to the domain security that it cannot be carried over into a new domain - atleast, not without help.
The help, as I discovered later, comes in the form of Active Directory Migration Tool. There are some tricks to get the tool to work properly, which will be covered in Take Two in this Library's network upgrade to Server 2003. To use the migration tool, however, it is imperative that the existing NT domain server be alive and well. So, I took a spare P3 machine, slapped the IDE HD that has Windows NT installed on it, re-applied NT and Service Pack 6 (had to - the hardware was not the same), and began reading "How To"'s on migrating to Server 2003. Oh jolly what fun.
Some saving graces during the 3 days I forced the library to be off line (eg no printing, no shared files, limited drive c access - Internet was OK though) was

  1. Library Director away that week
  2. NT already on IDE drive
  3. Had spare same-generation hardware with lots of memory
  4. Original NT CDROM, and service packs
  5. An understanding boss

So I didn't quite go to the hospital. Sure felt like hell during that time though.


You are basically correct; local profiles are tied to the domain account (SID). Switching domains on the client does not migrate the profiles; there are many potential security concerns in migrating local user profiles to new domains. To bypass this you can either use the Active Directory Migration Tool, copy the local domain profile to a local machine profile, then overwrite the new domain profile, or use a registry hack to change what profile is loaded (not recommended).Sounds like your migration went well; congratulations.

Oh this story ain't done yet. The migration has not exactly gone well, and it is still not actually complete. sort of a quick update: I'm going the route of local PDC upgrade instead along with a variety of tempory servers - mainly for simplicity reasons. This, however, is not without it's quirks either...

Your story reminded me of migrating from a Windows NT Domain to Windows 2000 Active Directory; I had a similar set of issues. I didn’t want to effect production hardware, thus I set up a BDC on backup hardware, promoted it to PDC, and converted to Windows 2000 Active Directory. I left the production hardware alone for a couple weeks, making sure I didn't have the very profile issues you've encountered (than again I wasn't doing a domain migration, just an upgrade).After I was finished everything worked, until I decommissioned the server I’d used in migration. I learned quickly over the next two days what a Global Catalog Server was, what happens if you remove all of them, and how to enable the services on another Active Directory Domain Controller. I also learned what the FSMO Roles were, and how to manually transfer (seize) the roles. All in all it was a great learning experience of a weekend, but I too felt the need for hospitalization after the migration.

what the FSMO Roles were, and how to manually transfer (seize) the roles I just finished doing that - literally... I learned of FSMO during one of my discussions within the group of peers I have access to. This process is simple enough to do and occured quite quickly. Getting ready now to launch dcpromo to remove the first temporary server from the domain.

I didn't realize what the problems were until a few days after decommissioning the migration server (I needed it for a different project). Being that I had just finished repurposing the server I used ntdsutil with the following method to seize the roles from the command line.

Good luck with your continued migration.

Subscribe to Comments for "Active Directory Migration: Take One .."