RE: [ActiveDir] Migration between domains with same NetBios name

[Grillenmeier, Guido]

I'm pretty much fearful of exactly the same things - in the meantime it's clear that any change to the source is not allowed and the customer is really keen on doing everything at once over a long weekend and is willing to risk "some extra troubleshooting" for the benefit of keeping both domains intact. Sounds like a lovely scripting job without much help from migration tools...   I'll have to think about doing some network tricks to have them in differnt subnets - then it should work having the two DCs available in the location (somehow).   Thanks though Eric for your thoughts early in the morning ;-)   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Donnerstag, 16. Juni 2005 17:30 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a result....they very well might care that a domain they think has some name doesn't know who they are.   Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain.   Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain.   ~Eric     From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 6/16/2005 12:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment.  However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others.   And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain...   ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts & groups are still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this...   Besides, the obvious downside is fallback options => customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand.     So I was mainly seeking for other experience and things to look out for, if domain rename is not an option.  E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain?  I guess I could hinder the AD DC somehow from trying to race against the NT4 BDC to become master browser.  Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point...  And I know I need to test this anyways, but can't do so right now.   I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue.   Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver).  My past experience tells me that this is likely not to be true...  I'm sure there are other things that are often overlooked - any ideas?   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Donnerstag, 16. Juni 2005 07:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it?   I will admit, I’ve never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741   If this does work, I’d like to know, so I can recommend it in the future.   The other option is logical data migration but not actual “migration” if you will. IE, ldifde and such. But that comes with the normal “lose the SIDs” type of issues, which I assume to be a major headache for your scenario.   ~Eric   PS: Basically, this mail translates roughly in to me saying, this might or might not work, and I’d like you to be my testing guy to let me know, since I’ve never had occasion to give it a whirl myself.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, June 15, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name   Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic.   But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience.   Think about an existing NT4 domain called CORP and another existing AD domain called CORP (with DNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs...   I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domain in WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet...   I wonder how others have tackled this challenge and what issues you ran into.   /Guido