RE: [ActiveDir] Migrate domain to separate forest
Susan Bradley wrote: As a newsgrouper/listserver person who gets massive amounts of OOO...can I respectfully say that has to be the stupidest reason for network design in my personal opinion. And Gil Kirkpatrick wrote: Someone needs to do a cost-benefit analysis. I would guess that 2 forests = 1.6x the operations costs more or less. I agree with both of you. You're preaching to the choir here! And, since I'm in the Church biz, I've heard that homily many times, too. I'm a tech, so even though my opinion is respected in our IT department, and my bosses agree wholeheartedly with me, over the years we have had to become almost entirely customer-driven or have all our services outsourced elsewhere. It has already happened with two of our six organizations, and it's about to happen with a third one. This particular org is one of the three that remain. So, I do what I'm told so tomorrow won't see me being walked out the door like so many of my colleagues in the past few years. Our goal here is obviously to show this particular organization how incredibly expensive it will be for them to be in their own forest just so they can have their OoO going to the internet. But, with all the other autonomy they want, it may happen, anyway. Now, to complicate matters, many years ago when I first installed Exchange 5.5 for 5 of our organizations (one had left by then), this organization got their very own Exchange 5.5 server, too. And, I enabled OoO to the internet, mostly because back then, 95% of email was good and only 5% was bad. But, this particular org had only climbed on board with their Exchange server because it was the end of the fiscal year, they had a few grand to spend or lose it, so they got Exchange. Except, they didn't have enough money or microcomputer resources to switch to Exchange, so that server gathered dust for years. Just last June they decided they wanted Exchange, so I convinced them to just format the Exchange 5.5 server and go directly to Exchange 2003. Out of Office was not going to the Internet, because when I upgraded everybody to Exchange 2003, I decided in this day and age of spam and viruses that it was a very bad idea. Management agreed with me. Now, we have two remaining Exchange 5.5 servers, for two of the other orgs. These folks will lose their OoO to the internet, and some of them will raise such a stink that we'll be forced to turn it back on, anyway, thus negating all the work of taking this other org to their own forest. Whew. This is way too long, so everybody have a nice cup of coffee on me - I'll ftp 'em to you! (At least I'll have job security for a really long time, with all this thrashing about.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
Someone needs to do a cost-benefit analysis. I would guess that 2 forests = 1.6x the operations costs more or less. I don't know Exchange at all... isn't there some way to constrain the policy to a subset of mailboxes? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
Yeah if that is true that sounds like a great DCR or maybe something besides Exchange handling the EDGE... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Migrate domain to separate forest
As a newsgrouper/listserver person who gets massive amounts of OOO...can I respectfully say that has to be the stupidest reason for network design in my personal opinion. The amount of social engineering data I can get from OOO's that I on the Internet have no business having at least set up that Exchange setting that OOO won't go to folks where the to is not in the address please? joe wrote: Yeah if that is true that sounds like a great DCR or maybe something besides Exchange handling the EDGE... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
If they need their own forest you need to create it first. But even before you create it, design it. First setup what the requirement should be and then design it to meet the requirements. Migration high level steps are: * Make sure the AD has been configured (sites, subnets, replication, OUs, GPOs, delegations, DNS, WINS, DHCP, etc.) * Setup name resolution (WINS or DNS) between source and target domain/forest * Setup trusts (if an external trust is configured and sidhistory is used, disable sid filtering) * Install and configure migration tooling * Migrate groups, user accounts with passwords and group memberships (with sidhistory) * Migrate clients from the source domain to the target domain, translate security on the client, and translate profiles (at this moment users start logging on with their new AD account on the migrated clients that have been migrated previously to the w2k3 domain) * Migrate mailboxes if needed * Migrate servers to the new domain or migrate data to new servers * Translate security (Re-ACL) of the data from source security principals to target security principals (replace the security descriptors from the old domain with the security descriptors from the new domain ) * Cleanup temporary configurations * Cleanup sidhistory (recommended!). sIDHistory is used to access resources while those resources still have security descriptors from the old domain. As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed sIDHistory can be cleaned. Sidhistory should only be used temporary for migration purposes! * Remove trusts * Decommission old domain(s) For more info on migrating to an AD domain also see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx ADMTv3 has been out for a while, so be sure to use that version. (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212displaylang=en) If you have exchange you need to setup the target Exchange organization and perform an inter-org migration Cheers, jorge From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Tue 2006-01-17 19:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrate domain to separate forest Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Migrate domain to separate forest
Title: [ActiveDir] Migrate domain to separate forest Many thanks, Jorge. And I hear congratulations on your MVP status are in order. Congrats! --Larry WahlersConcordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, January 17, 2006 1:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migrate domain to separate forest If they need their own forest you need to create it first. But even before you create it, design it. First setup what the requirement should be and then design it to meet the requirements. Migration high level steps are:* Make sure the AD has been configured (sites, subnets, replication, OUs, GPOs, delegations, DNS, WINS, DHCP, etc.) * Setup name resolution (WINS or DNS) between source and target domain/forest * Setup trusts (if an external trust is configured and sidhistory is used, disable sid filtering) * Install and configure migration tooling* Migrate groups, user accounts with passwords and group memberships (with sidhistory)* Migrate clients from the source domain to the target domain, translate security on the client, and translate profiles (at this moment users start logging on with their new AD account on the migrated clients that have been migrated previously to the w2k3 domain)* Migrate mailboxes if needed* Migrate servers to the new domain or migrate data to new servers* Translate security (Re-ACL) of the data from source security principals to target security principals (replace the security descriptors from the old domain with the security descriptors from the new domain )* Cleanup temporary configurations* Cleanup sidhistory (recommended!). sIDHistory is used to access resources while those resources still have security descriptors from the old domain. As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed sIDHistory can be cleaned. Sidhistory should only be used temporary for migration purposes!* Remove trusts* Decommission old domain(s) For more info on migrating to an AD domain also see: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/default.mspx ADMTv3 has been out for a while, so be sure to use that version. (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212displaylang=en) If you have exchange you need to setup the target Exchange organization and perform an inter-org migration Cheers, jorge From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Tue 2006-01-17 19:28To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrate domain to separate forest Hello, colleagues,One of our organizations is in their own domain, a child domain of ourroot. They want to be in their own forest. Are there tools to migratethem to their own separate forest, or will I need to build the forestfirst, presumably with 2 new DC's, and then make all their servers jointhe new forest? And, of course, they have about 140 users.Thanks, folks.--Larry WahlersConcordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate domain to separate forest
Just out of curiosity, why do they think they want their own forest? In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. ADMT would seem to be a reasonable way to go. Or one of the commercial migration products. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Tuesday, January 17, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrate domain to separate forest Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
