RE : [ActiveDir] Intra-forest migration
A good link about admt v2 capabilities from HP expert., including migrating users profiles, and a comparison between admvt v2 with other third-party tools. http://redmondmag.com/features/article.asp?EditorialsID=357 Cheers, Yann De: [EMAIL PROTECTED] de la part de Chris Flesher Date: sam. 30/07/2005 16:52 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Intra-forest migration Destructive migration is not sounding real good at the moment. Restoring all of the user and objects back the way they were probably isn't an easy proposition either, I'm guessing. As for the profiles, would the profiles be "migrated" as well with admt version2, meaning when the user logs in as domain-destination\username, the same profile would be there as the one domain-origin\username? The reason I ask is that even if the migration is a move and not a copy with admtv2, I may need another reason to push for a commercial product. If admtv2 can't do the above with the profile, how difficult do you think it would be to script something for ~2500 users so that when they walk in on Monday, all they have to do is log in and all things are good to go. Sorry for the ramble. Thanks for the reply. From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 7/29/2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 12:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477 <>
RE: [ActiveDir] Intra-forest migration
It is a move, that’s the key difference.. Regardless of which tool you look at though, all three that have been mentioned so far (well, 2 and a half :D) will require you to: 1) move/copy the users from domain a to domain b 2) deploy agents to the workstations/servers to perform post processing -à this is the process that actually updates all the SID’s and profiles for the users that have been migrated.. it’s key to do this after all users have been migrated that use the particular box/server you’re processing.. if not, then you’ll run into problems with users trying to access resources.. even if you migrate a user later – you could always go back and rerun the post processing on a machine again (at least with quest and netiq, I’m not sure if that functionality made it down to the free admt version..) -- Rob Ryan - MCSE, MCSA ([EMAIL PROTECTED]) -- Network Systems Engineer -- Landata Systems, Network Services -- (713) 625-8276 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, July 30, 2005 3:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration I'm digging into my memory right now and the answer concerning profiles when doing an intra forest migration is (at least I think so, don't remember exactly) ADMT will translate profiles if needed. However, using ADMT with an intra forest migration (as I said before) of user accounts will delete the user account in the source domain and create a new one in the target domain. Why is the source user deleted? Reason: The new target user account will have the same GUID as the source user and in a forest each user account MUST have a unique GUID. The target user will get a new sid and the old sid gets into sidhistory (if told so). So if you have windows 2000/xp/2003 clients there is not need to redirect (ACL translation still needed if you want to get rif of sidhistory in the end) the profile to the new user account because the pointer in the registry uses the GUID. If you have NT4 clients then you still must redirect the profiles Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 4:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration Destructive migration is not sounding real good at the moment. Restoring all of the user and objects back the way they were probably isn't an easy proposition either, I'm guessing. As for the profiles, would the profiles be "migrated" as well with admt version2, meaning when the user logs in as domain-destination\username, the same profile would be there as the one domain-origin\username? The reason I ask is that even if the migration is a move and not a copy with admtv2, I may need another reason to push for a commercial product. If admtv2 can't do the above with the profile, how difficult do you think it would be to script something for ~2500 users so that when they walk in on Monday, all they have to do is log in and all things are good to go. Sorry for the ramble. Thanks for the reply. From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 7/29/2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 12:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
RE: [ActiveDir] Intra-forest migration
I'm digging into my memory right now and the answer concerning profiles when doing an intra forest migration is (at least I think so, don't remember exactly) ADMT will translate profiles if needed. However, using ADMT with an intra forest migration (as I said before) of user accounts will delete the user account in the source domain and create a new one in the target domain. Why is the source user deleted? Reason: The new target user account will have the same GUID as the source user and in a forest each user account MUST have a unique GUID. The target user will get a new sid and the old sid gets into sidhistory (if told so). So if you have windows 2000/xp/2003 clients there is not need to redirect (ACL translation still needed if you want to get rif of sidhistory in the end) the profile to the new user account because the pointer in the registry uses the GUID. If you have NT4 clients then you still must redirect the profiles Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 4:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration Destructive migration is not sounding real good at the moment. Restoring all of the user and objects back the way they were probably isn't an easy proposition either, I'm guessing. As for the profiles, would the profiles be "migrated" as well with admt version2, meaning when the user logs in as domain-destination\username, the same profile would be there as the one domain-origin\username? The reason I ask is that even if the migration is a move and not a copy with admtv2, I may need another reason to push for a commercial product. If admtv2 can't do the above with the profile, how difficult do you think it would be to script something for ~2500 users so that when they walk in on Monday, all they have to do is log in and all things are good to go. Sorry for the ramble. Thanks for the reply. From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 7/29/2005 10:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Intra-forest migration when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 12:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
Re: [ActiveDir] Intra-forest migration
ADMT v2 will do what you're looking for. Play with it in the lab so you can see how it works and get the procedure down. Phil On 7/30/05, Chris Flesher <[EMAIL PROTECTED]> wrote: > > Destructive migration is not sounding real good at the moment. Restoring all > of the user and objects back the way they were probably isn't an easy > proposition either, I'm guessing. > > As for the profiles, would the profiles be "migrated" as well with admt > version2, meaning when the user logs in as domain-destination\username, the > same profile would be there as the one domain-origin\username? The reason I > ask is that even if the migration is a move and not a copy with admtv2, I > may need another reason to push for a commercial product. If admtv2 can't do > the above with the profile, how difficult do you think it would be to script > something for ~2500 users so that when they walk in on Monday, all they have > to do is log in and all things are good to go. > > Sorry for the ramble. Thanks for the reply. > > > From: [EMAIL PROTECTED] on behalf of > Almeida Pinto, Jorge de > Sent: Fri 7/29/2005 10:29 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Intra-forest migration > > > > when doing intra forest migrations some tools are destructive menaing the > old user account is deleted before the new one is created. Reason is with a > intra forest migration the GUID does not change (SID does) the problem with > this is it does not provide fallback. In fact it is a MOVE. As I know, > Domain Migration Wizard from Quest does a copy and thus providing for > fallback concerning the user account which is a pro. There also cons when > thinking about profiles, when thinking copy compared to move. It all depends > on what you want and like best > > Cheers > #JORGE# > > > From: [EMAIL PROTECTED] on behalf of Chris > Flesher > Sent: Sat 7/30/2005 12:04 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Intra-forest migration > > > We are trying to reorganize our forest and move accounts to one domain with > multiple child resource domains, mostly for political reasons that most > Universities are familiar with. What tool(s) are available besides ADMTv2 to > migrate users from one domain to another within the same forest? ADMT does > not copy profiles as far as I know. My biggest issue is not having enough > staff to touch all the desktops in one weekend, and hiring temps is probably > out as well. Would it be difficult to script something to migrate profiles? > Has anyone tried to do this themselves? > > Thanks as always. This list is a real help. > > Chris Flesher > The University of Chicago > NSIT/DCS > (773)-834-8477 > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Intra-forest migration
Destructive migration is not sounding real good at the moment. Restoring all of the user and objects back the way they were probably isn't an easy proposition either, I'm guessing. As for the profiles, would the profiles be "migrated" as well with admt version2, meaning when the user logs in as domain-destination\username, the same profile would be there as the one domain-origin\username? The reason I ask is that even if the migration is a move and not a copy with admtv2, I may need another reason to push for a commercial product. If admtv2 can't do the above with the profile, how difficult do you think it would be to script something for ~2500 users so that when they walk in on Monday, all they have to do is log in and all things are good to go. Sorry for the ramble. Thanks for the reply. From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge deSent: Fri 7/29/2005 10:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Intra-forest migration when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris FlesherSent: Sat 7/30/2005 12:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
RE: [ActiveDir] Intra-forest migration
when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 12:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
Re: [ActiveDir] Intra-forest migration
The Quest tool copies the user? I didn't know that was possible, all Intraforest migrations I have seen have been moves. Phil On 7/29/05, Rob Ryan <[EMAIL PROTECTED]> wrote: > > > We've been using the Quest migration suite lately and have had pretty good > success – the biggest selling point for me was that, unlike ADMT and the > NetIQ (which are pretty much one in the same except NetIQ will let you > "undo" and is supposed to actually work :D) was that it did a > non-destructive migration – ADMT/NetIQ is a lot like doing a movetree – if > it works, great, if not, you've got nothing to go back to.. Quest basically > just does a copy of the object, which you can leave disabled in the target > until you're ready to get the users using their new accounts. All of them > should handle profile/permission migration though? I thought I remembered > testing that last year when admt2.0 came out, but it was incredibly resource > intensive and not necessarily reliable or scalable. > > > > neither Quest nor NetIQ are cheap though, and both bill per user migrated.. > > > > > > > -- Rob Ryan > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Chris Flesher > Sent: Friday, July 29, 2005 5:05 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Intra-forest migration > > > > > > We are trying to reorganize our forest and move accounts to one domain with > multiple child resource domains, mostly for political reasons that most > Universities are familiar with. What tool(s) are available besides ADMTv2 to > migrate users from one domain to another within the same forest? ADMT does > not copy profiles as far as I know. My biggest issue is not having enough > staff to touch all the desktops in one weekend, and hiring temps is probably > out as well. Would it be difficult to script something to migrate profiles? > Has anyone tried to do this themselves? > > > > > > Thanks as always. This list is a real help. > > > > > Chris Flesher > > The University of Chicago > > NSIT/DCS > > (773)-834-8477 > > >
Re: [ActiveDir] Intra-forest migration
ADMT pretty much has the functionality of the good 3rd party migration tools as far as migrations and security translations go. Where the 3rd party tools shine is in complex migration schedules, migrations with complex servers (SQL, IIS etc.) and they tend to offer easier/better reporting/logging. What do you mean by profile? Do you mean my desktop profile (background, settings, my documents etc.)? If so then ADMT can translate those profiles the same as 3rd party tools can. Load up a test forest and play around with ADMT a bit; v2 is quite good for most cases. Phil On 7/29/05, Chris Flesher <[EMAIL PROTECTED]> wrote: > We are trying to reorganize our forest and move accounts to one domain with > multiple child resource domains, mostly for political reasons that most > Universities are familiar with. What tool(s) are available besides ADMTv2 to > migrate users from one domain to another within the same forest? ADMT does > not copy profiles as far as I know. My biggest issue is not having enough > staff to touch all the desktops in one weekend, and hiring temps is probably > out as well. Would it be difficult to script something to migrate profiles? > Has anyone tried to do this themselves? > > Thanks as always. This list is a real help. > > Chris Flesher > The University of Chicago > NSIT/DCS > (773)-834-8477 > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Intra-forest migration
We’ve been using the Quest migration suite lately and have had pretty good success – the biggest selling point for me was that, unlike ADMT and the NetIQ (which are pretty much one in the same except NetIQ will let you “undo” and is supposed to actually work :D) was that it did a non-destructive migration – ADMT/NetIQ is a lot like doing a movetree – if it works, great, if not, you’ve got nothing to go back to.. Quest basically just does a copy of the object, which you can leave disabled in the target until you’re ready to get the users using their new accounts. All of them should handle profile/permission migration though? I thought I remembered testing that last year when admt2.0 came out, but it was incredibly resource intensive and not necessarily reliable or scalable. neither Quest nor NetIQ are cheap though, and both bill per user migrated.. -- Rob Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, July 29, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
