Windows Server

phasered · Guest

I am migrating computers to a new 2003 domain and using the ADMT tool to move
the workstations. I am vague as to the benefits/downfalls of each option. We
have built our infrastructure and will now be moving our workstations (then
groups, user accounts, etc) Our source domain (NT4) will remain active until
with users until we first move workstations etc which will be a gradual
process (of sorts). I have moved workstations using the add to this point but
am beginning to second guess this choice. What will this mean to the process
(cleanup, etc). If I would use the replace or remove option then what
functionality if any would be lost on users of the old source domain until
the move is complete? What type of cleanup is necessare with the add option?

Frances [MSFT] · Guest

Hello,

Thanks for your post.

According to your description, you are performing a migration from NT to
win2k3. I notice that you performed the computer migration first and then
performed the user/group migration. It is actually not a recommended
migration order since ADMT Migrations between two forests are actually
clone operations except the computer migration because computers can only
belong to one domain at a time. Therefore, it is best to migrate group and
user accounts first. After ensuring that everything works, we can then
perform the Computer Migration.

The Recommended Migration Order is listed below for your referance:

1. Trust migration (UI Only)
2. Service account migration
3. Domain Global Group
4. Domain Local Group
5. User migration
6. Computer migration
7. Security translation
8. Report

As for the options of add, replace and remove, do you mean the options
shown in the Security Translation Options of the Computer Migration Wizard?
If this is the case, these options are related to ACL references which
decide the users' access to the resources in the domain. For your
convenience, I will offer the meanings of the options below.

Add: This option maintains the source domain references on ACLs and adds
the corresponding target domain sIDs.

Replace: This option removes all ACL references to the source domain and
replaces them with entries for the target domain.

Remove: This option deletes references to source domain sIDs and does not
add any information for target domain security principals.

We recommend using Replace mode.

Local profiles are translated in replace mode because if you perform the
profile translation in add mode, software installation by means of software
deployment Group Policies might not work.

Remigrating User Accounts and Workstations in Batches
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbi_reer_zgwe.asp

I am not very clear about your meaning of "What type of cleanup is
necessary with the add option?" I believe you have met some problems due to
the order of your migration, is that correct?

Please refer to the following articles for more information.

Migrating from Windows NT Server 4.0 to Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-
8de0-19544062a6e6&DisplayLang=en

Active Directory Migration Tool Overview
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.
asp

Hope this is helpful. If you have any further questions don't hesitate to
get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

phasered · Guest

Great information and you interpreted my question as I had hoped. We have
little or no resources on the workstations that are shared or reliant on the
old domain. Our strategy was to get these workstations in and be able to
utilize the group policy for security reasons. The group policy is working
well for us and is applying several securiy features as we had hoped even
through the initial route I have taken. I am hoping I can go back to these
workstations and run the security translation wizard to clean up any
references to the old domain.
Software deployment is not a priority at this time. Are suggesting that
there are cases out there that software deployment did not function even
after complete migration of domains if workstations were migrated first?

When I was referring to clean up what I poorly phrased was that I was trying
to imply what was involved in the cleanup of any security references to the
old domain. Hopefully this can be completed by the security translation
wizard.

Thanks for your help and wisdom.

"Frances [MSFT]" wrote:

Frances [MSFT] · Guest

Hello,

I am glad to hear the news.

As for the potential problems, it is hard to say. Things are different
regarding different environment.

Generally speaking, security translation wizard is capable of updating most
common resources automatically, and is also configurable by the
administrator. Performing security translation on computers requires the
same level of privileges as computer migration.

If you have any further questions don't hesitate to get in touch. I am
happy to offer help!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1