Assuming: * NDS login names are the same as the NT4 domain login names * Workstations (W2K/WXP) will be migrated from the NT4 domain to the AD domain. (migrating W9x will be a bit different)(if W9x/WNT then you'll also need the DSCLIENT) * No duplicate user accounts exist in the NDS * No duplicate groups in the NDS exist * Passwords of user accounts in the NDS are the same of users in NT4 * Company file data is on novell file servers * Homedirectories are on novell file servers * Profiles are on novell file servers * AD design is ready implemented and finished * Novell NDS is primary environment and NT4 domain is secondary env. * Trusts are in place between NT4 and AD (sidfiltering is not an issue on NT4 if it has not been configured
In a similar migration like yours I used Quest NDS Mirator and Quest Domain Migration Wizard. Both worked great. I suppose it is alsi possible to do the same with MS SFN and ADMT, although more difficult I'm not sure if this will work for your environment but think about it and see if it will work VERY High-level migration steps using MS SFN, ADMT and SUBINACL (test this in a test environment): * Clean up your NT4 domain (accounts, groups) * Clean up your NDS (accounts, groups) * Remove special characters from groups names that Windows does not support and shorten group names if needed (Windows has a maximum of 64 chars) * If you have duplicate accounts belonging to different people try to make them unique by renaming them. It is however not needed to rename with it will make your lief easier in the end * If you have duplicate accounts belonging to one person try to consolidate them. It is however not needed to rename with it will make your lief easier in the end ACCOUNT MIGRATION * Migrate groups from Novell to AD * Migrate accounts from Novell to AD * Migrate groups memberships from Novell to AD * Migrate service accounts to AD * Migrate groups (global and local) from NT4 to AD (including sidhistory) * Migrate user accounts from NT4 to AD (including passwords and sidhistory) * Migrate group memberships from NT4 to AD RESOURCE MIGRATION * Migrate clients from NT4 to AD and re-acl (replacing) the clients and translate profiles * Create an AD logonscript (using GPOs or through NETLOGON share) * Migrate company file data from Novell to AD (establish drive mappings on the AD side and disable on novell side) (translate security!) * Migrate homedirectories from Novell to AD (establish drive mappings on the AD side and disable on novell side)(translate security!) (populate the homedirectory location info on the AD user objects) * Migrate servers/resources from NT4 to AD (re-acl file system, group membership, etc.) * Remove the Novell client from the clients * Migrate profiles from novell to AD (translate security!) (populate the profile location info on the AD user objects) * Clean up sidhistory from the AD user accounts and groups * Decommission Novell environment * Remove trust * Decommission NT4 domain Remember also that there are differences between the novell file system and the NTFS file system! Trustee rights in Novell are explicitely TOP-DOWN but are also implicitely BOTTOM-UP (during security translation you may need to introduce the NTFS permission "List Folder Contents" to some group or to Authenticated Users). NTFS does not support the latter as in Novell. In Novell users will only see (with their eyes) files and folders they have rights to. In W2K3 SP0!!! and earlier this will change. They will see everything. If you have W2K3 SP1 however you can implement Access Based Enumeration to acchieve the same (see only when you have permissions configured) Hope this will help you! As you can see this is a complex migration and it's too difficult to describe migration steps in a nutshell. It is also possible some important step is missing that I forgot about. As always try this first in a test environment to see if it meets your needs! Cheers, #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: 'packman '; '[email protected]' Sent: 5/6/2005 9:53 PM Subject: RE: [ActiveDir] SID History Filtering FYI: For NDS reporting you can use the following tool (it is free) http://www.geocities.com/wstools/f_nds.html (DSREPORT) For more info on NDS migrations read the article written by quest (Essential Guide to an NDS to AD Migration -> http://wm.quest.com/reg/marketing/landing/migratingndsad/) Concerning the accounts with the same name (smithj, smithj1, etc.) Do these belong to different persons or to one and the same person? Does every user in the NDS also exist in the NT4 domain with the same login name? #JORGE# -----Original Message----- From: packman To: Jorge de Almeida Pinto Sent: 5/6/2005 8:08 PM Subject: Re: [ActiveDir] SID History Filtering Before I say something I have the following questions for you: * What is the purpose of the Novell environment? What is it used for? File and Print, Applications (old DOS based), Software Dist * What is the purpose of the NT4 environment? What is it used for? Application Servers (various c/s apps), SQL Servers * What resources are in which environment? I'm not sure what you're asking here. * Is the login name in novell the same as the login name in NT4? It is supposed to be, and I believe 99% of them are. However, when they ran MSDSS, there are instances where they brought over 5 users named smithj and MSDSS then named them to smithj, smithj1, etc. so there are some discrepencies... =( On 5/6/05, Jorge de Almeida Pinto < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: I read the post from the other guys and I understand you also have a Novell environment and it is not that simple if you're migrating from Novell and NT4 to AD. For this you also need two migration tools. Before I say something I have the following questions for you: * What is the purpose of the Novell environment? What is it used for? (software distribution, file and print services, etc.) * What is the purpose of the NT4 environment? What is it used for? (software distribution, file and print services, applications like SQL, etc.) * What resources are in which environment? * Is the login name in novell the same as the login name in NT4? I have done such migrations and your plan depends on how your current environment is used. Most of the times Novell is used for file and print services and software distribution (zenworks) and NT4 is used for application services like SQL and others #JORGE# -----Original Message----- From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> To: [email protected] <mailto:[email protected]> Sent: 5/6/2005 4:05 PM Subject: [ActiveDir] SID History Filtering I'm working at a client with what I think is a unique set of circumstances. Instead of upgrading their existing NT 4.0 Domain to AD, they instead, created a new AD structure and left the NT 4.0 Domain in production. Almost all of the users are still logging into the 4.0 domain (4d) still, due to the fact that their resources are still in that domain. My role in all this is getting the servers in 4d moved to AD without causing disruption to those users. All of the 4d ID's were pulled into the AD structure. Someone mentioned to me that we could use SID History filtering, and in on fail swoop, move all the 4d servers over to AD, less the DC's and everything should still work with the users logging in to 4d. Is this the case? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
