Sorry Tom, itchy send finger :)
I meant to add on that ADMT might be a useful tool for you. IIRC, ADMT has a report mode (Quest may as well, and you would do well to check into it prior) that you could run to see if the target already exists. Does that meet your criteria of success? I don't know because that would depend on your criteria of a successful migration. Will it help? I think so.
Scripts could be used as well, but I think something like a migration tool already in place that is run in report mode would be much better in terms of time spent.
Al
On 12/31/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
i guess sidHistory is the "join criteria" in this case and would work well?sidHistory is usually a good criteria as it should only exist on one object in the target and one object in the source. sidHistory is a unique identifier and since it was a migration, that should be useful in figuring out what in the source is now in the target. I will say that it's a horrible idea to undertake a migration and still put items in the source forest waiting for some sunset event of the source forest. It might be a good idea to suggest that they rethink that strategy in favor of using the new shiny forest.but what about contact objects or non security DG's and objects without sids?there is nothing unique that would transfer from the source to the destination that I can think of unless there's a SMTP address or similar associated. Otherwise, it's more like the Microsoft shuffle: copy from source, delete original (in this case, not so much since source still exists, but you get the idea). There's no binding unless you create one.For non-security principals, you'll want to find another criteria that works for you.Al
On 12/31/05, Tom Kern <[EMAIL PROTECTED]> wrote:i am using sidHistory.I've been using Quest AD Migration Manager to copy objects from one forest to another.the tool comes with logging but no way to validate objects in seperate forests post migration.we haven't migrated Exchange yet, so we are co-existing with 2 forests right now.the source forest is still the forest of record.when a new user gets created or a new worktation image is deployed, it still gets staged in the source forest.Management wants to keep doing this till the old forest is decomissioned.also, since consultants from IBM did a lot of the migrating(they are now gone), i'd like a way to validate what they've done.i guess sidHistory is the "join criteria" in this case and would work well?but what about contact objects or non security DG's and objects without sids?thanks
On 12/30/05, Al Mulnick <[EMAIL PROTECTED] > wrote:What would be your join criteria in this case? I mean, if you're not using sidHistory, what's to say that userA in domainA ForestA once moved to domainB ForestB is going to be called UserA? What if a UserA already exists in that target domain?Anyhow, there needs to be an authoritative source and a way to join the source to the target in a way that prevents ambiguity. Normally, sidHistory would fulfill that requirement, but in two separate forests there's no guarantee that you'd use that. Or if you were bringing it from multiple domains it would have multiple source sids.For that purpose, something like MIIS is a very useful tool because of the way it joins directories. If you were to home grow something, you'll have to figure out what the link is. If it's different than what 80% of the people out there need, it won't be an off-the-shelf tool that you're looking for, but more like the others have said: db, xls, script, or similar to do that work.Does that help?
On 12/30/05, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote:dont know any tool that is able to do this
how about scripting this?
j.
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Fri 2005-12-30 22:50
To: activedirectory
Subject: [ActiveDir] directory validation
Is there some utility(free?) where you can validate objects from one AD forest against another?
like, if you've done a migration and you want to make sure the objects in the target forest are pretty much in sync with objects in the source(group memebership,etc)?
thanks
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
