Hi, In an intraforest migration ADMT actually MOVES the user account by creating a new account in the target domain (new SID, but SAME GUID as the sourceaccount) with the SID of the source account in the sIDHistory of the target account. This is a destructive operation as there is no (quick) fallback. The only options for fallback are (only on W2K3) undeleting the source user account (but first delete the target account!!!) and an authoritative restore of the user acount in the source domain (but first delete the target account!!!). The main reason for deleting the target account, before restoring the source account, is that they have the same GUID as the source account. In an AD forest (and independent of the AD domain) NO 2 or more accounts can have the same GUID!!! When also doing migrating clients (w2k and w2k3 and wxp) there will no need to do a profile migration as the GUID does NOT change for each account. Using ADMT, only in an interforest migration is a NON-destructive operation as source accounts are NOT deleted by default
If I'm correct Aelita's Domain Migration Wizard creates a new target account with a new GUID, puts the SID of the source account in the NEW target account's sidhistory AND keeps the source account for fallback. One of the caveats here is that you need to do a profile migration. It depends what's more important in an intraforest migration -> fallback for source accounts or easy profile migration. I think the first! It is still not clear to me if you also have groups in the source domains that also need to be migrated and if these groups also have the same names in all the source domains. Don't forget to define closed sets of security principals if you don't change groups scope otherwise change the group scope to universal sec.. The target domain must at least be windows 2000 native to accept sidhistory and universal security groups For user accounts you must do a many-to-one migration of user accounts where the sid history of each source account is added to the sidhistory attribute of the target account. With ADMT I think merging user accounts would only work in inter forest scenarios and not in a intraforest scenario as GUID can not be consolidated into one account like this which is possible with SIDs >From the ADMT readme.doc (see section "Subsequent User Migrations Update Group Membership of Target Accounts") group memberships will be migrated to the target where as target group memberships that do not exist in the source will be preserved. DON'T use the option "remove existing members" when remigrating groups. I'm not sure though how this works in a intraforest migration scenario. The most sure thing for you is to create a VMware environment with at least 3 domains (root = target and both childs are source) (each with 1 DC) create some users and groups in all domains. Install trial third party tool like DMW and ADMT and configure accordingly. Create snapshot at this moment. First try ADMT and then the third party tool. I think in this case a third party tool like DMW would be the way to go. I don't know about NetIQ migtooling but I know DMW preserves source accounts even in an intraforest mig scenario. Hope this rather long explanation helps you! Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 3/23/2005 9:59 PM Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration Quest's Domain Migration Wizard has options to handle duplicate accounts. >>> [EMAIL PROTECTED] 3/23/2005 11:44:44 AM >>> That's not correct for an intraforest migration. Intraforest migrations are definitely a move and not a copy. Have you copied a user account from a domain in ForestA to another domain in Forest A and had it actually be a copy? Phil On Wed, 23 Mar 2005 14:23:04 -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > I think during an intraforest migration it is a copy, as the source user > accounts are left intact and the users can continue to use them. This makes > for an easy roll back if something goes wrong. I have not yet looked at > using other tools as they, of course, will cost money and this tool is > free. Management with the help of a consultant decided that ADMT would be > able to do the job. > > > Phil Renouf > <[EMAIL PROTECTED] > m> To > Sent by: [email protected] > [EMAIL PROTECTED] cc > ail.activedir.org > Subject > Re: [ActiveDir] [Active Dir] > 03/23/2005 02:13 Handling Duplicate Accounts During > PM d omain Migration > > Please respond to > [EMAIL PROTECTED] > tivedir.org > > Can ADMT merge between two domains in the same forest? Since > intraforest migrations are a move and not a copy I was under the > impression that you couldn't merge accounts while doing that. When > doing an intraforest migration with NetIQ the option to merge > conflicting accounts is not available. > > When doing a migration from a domain outside your forest you can > absolutely merge accounts with the NetIQ tool, so I would be surprised > if ADMT couldn't do that as well. > > Phil > > On Wed, 23 Mar 2005 13:26:12 -0500, Mulnick, Al <[EMAIL PROTECTED]> > wrote: > > So merge is the correct term then? > > > > It's been a while, but I was thinking that ADMT could handle that. Have > you > > checked the help files for merging source to target? > > > > al > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, March 23, 2005 12:15 PM > > To: [email protected] > > Subject: RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During > d > > omain Migration > > > > These are the same users in the same forest, but in different domains. > > > > "Mulnick, Al" > > <[EMAIL PROTECTED] > > T.com> To > > Sent by: [email protected] > > [EMAIL PROTECTED] cc > > ail.activedir.org > > Subject > > RE: [ActiveDir] [Active Dir] > > 03/23/2005 12:06 Handling Duplicate Accounts During > > PM d omain Migration > > > > Please respond to > > [EMAIL PROTECTED] > > tivedir.org > > > > And when you say duplicates names, are they representing different users > or > > the same users from different forests? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, March 23, 2005 11:23 AM > > To: [email protected] > > Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During > > domain Migration > > > > Yes, all of these domain are in the same forest. We have an empty root > > domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child > > domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest > > functional level is Windows 2000 while the domain functional level of > > MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows > 200 > > Native after the upgrade. > > > > The accounts all follow the same naming standard across all domains. > > > > Phil Renouf > > <[EMAIL PROTECTED] > > m> To > > Sent by: [email protected] > > [EMAIL PROTECTED] cc > > ail.activedir.org > > Subject > > Re: [ActiveDir] [Active Dir] > > 03/23/2005 10:21 Handling Duplicate Accounts During > > AM domain Migration > > > > Please respond to > > [EMAIL PROTECTED] > > tivedir.org > > > > Are they all in the same forest? You mentioned child domains so I assume > > they are, but I just wanted to check. Do the accounts follow the same > naming > > standard across all the domains? You mention the target domain is Windows > > 2003 Native, I assume this means Windows 2003 in Win2k Native mode? > > > > Phil > > > > On Wed, 23 Mar 2005 10:00:06 -0500, [EMAIL PROTECTED] > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > We are currently trying to migrate all of our child domains into > > > one single domain. There are 3 child domains, 2 of which are Windows > > > 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows > > > 2003 Native. We plan to use ADMT v2 for the planned migrations. > > > There were many different project teams, each with a hand in AD, > > > before I arrived. When an account was needed in a particular domain it > > was > > > just created, even though there were obviously trusts in place. Now I > > have > > > 1,000's of duplicate user ID's in the target domain. How would I go > > > about merging the accounts in the child domains with the accounts in > > > the target domain? > > > > > > Thanks, > > > Chris > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
