Al, we questioned Microsoft only when she told us that each forest has to have its own exchange org, even when both forests are at 5.5 - we understand this to be true for exchange 2003, but we have functioned for years under one exchange org when we were both at 5.5.
At this point, we're just trying to use every resource available to resolve our issue. Thanks for your help. Date: Thu, 1 Jun 2006 21:37:11 -0400 From: "Al Mulnick" <[EMAIL PROTECTED]> Subject: Re: [ActiveDir] [ActiveDir Digest] Reply-To: [email protected] ------=_Part_757_19584744.1149212231575 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Jeri, the ADC is the component that helps to bridge the 5.5 and AD directories. Regardless of what happens, you should have the ability for the ADC to put Exchange 5.5 data into the AD and vice-versa. Although the 5.5server is gone in forest A that doesn't necessarily mean they can't have the ADC there. They can also have the forest B 5.5 site replicate it's data via 5.5 methods. All of that depends on what settings that forest A made when they removed Exchange 5.5. It's possible they made a change that prevents Exchange 2003 from ever seeing a 5.5 server again. It's dangerous to second guess Microsoft on this. I'm sure there're many more details that are to be had, and I'm curious what makes you think that if Microsoft support couldn't help, that you think somebody else can? Can you enlighten us as to what was said and what reasons were given? Al On 6/1/06, Bland, Jeri <[EMAIL PROTECTED]> wrote: > > Although this also involves Exchange, I hope someone can help me with the > following scenario as soon as possible: > > Same Company > Two Separate Forests > Two Separate Domains > Two-way transitive trust > One Exchange Org with Admin Group One as Forest A > and Admin Group Two as Forest B > Full ability to see and administer each other's AD and Exchange, if > necessary > > Forest A recently migrated from Exchange 5.5 to Exchange 2003 and AD 2003. > Forest B wants to do the same. > > When Forest A decommissioned its Exchange 5.5 server, its new Exchange > 2003 > server could no longer see Forest B's Exchange 5.5 server (which is Win2k > OS), and any new users added to Forest A do not appear in the Global > Address > Book used by Forest B, and which was in the past shared by both forests - > as > a result, Forest B can send no emails to new users in Forest A. > > In addition, the 5.5 server in Forest B can no longer be seen or > administered by Forest A, even though there is an ADC between them. > > Microsoft says that because Exchange 5.5 does not use AD and Exchange 2003 > does, there will no longer be any communication between the 5.5 server and > the 2003 server until Forest B migrates or upgrades to AD 2003 and > Exchange > 2003. Microsoft also said that if Forest A brings back the 5.5 server for > the sake of Forest B's upgrade or migration, that it still would not work. > > Forest B has a new AD 2003 server that it wants to promote, and demote the > existing AD 2000 server. > > After establishing an ADC between forests, Forest B has a new Exchange > 2003 > server that it wants to introduce to its domain. Forest B is also > considering an inplace upgrade of its existing 5.5 server. > > The issue is the preservation and move of the mailboxes without having to > PST them manually. If an Exchange 2003 environment cannot see an Exchange > 5.5 server, how can we move the mailboxes? > > Sorry for being long-winded... thanks for any help you can give > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > ------=_Part_757_19584744.1149212231575 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline <div>Jeri, the ADC is the component that helps to bridge the 5.5 and AD directories. Regardless of what happens, you should have the ability for the ADC to put Exchange 5.5 data into the AD and vice-versa. Although the 5.5 server is gone in forest A that doesn't necessarily mean they can't have the ADC there. They can also have the forest B 5.5 site replicate it's data via 5.5 methods. All of that depends on what settings that forest A made when they removed Exchange 5.5. It's possible they made a change that prevents Exchange 2003 from ever seeing a 5.5 server again. </div> <div> </div> <div>It's dangerous to second guess Microsoft on this. I'm sure there're many more details that are to be had, and I'm curious what makes you think that if Microsoft support couldn't help, that you think somebody else can? Can you enlighten us as to what was said and what reasons were given? </div> <div> </div> <div>Al<br><br> </div> <div><span class="gmail_quote">On 6/1/06, <b class="gmail_sendername">Bland, Jeri</b> <<a href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>> wrote:</span> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Although this also involves Exchange, I hope someone can help me with the<br>following scenario as soon as possible: <br><br>Same Company<br>Two Separate Forests<br>Two Separate Domains<br>Two-way transitive trust<br>One Exchange Org with Admin Group One as Forest A<br> and Admin Group Two as Forest B<br>Full ability to see and administer each other's AD and Exchange, if <br>necessary<br><br>Forest A recently migrated from Exchange 5.5 to Exchange 2003 and AD 2003.<br>Forest B wants to do the same.<br><br>When Forest A decommissioned its Exchange 5.5 server, its new Exchange 2003<br>server could no longer see Forest B's Exchange 5.5 server (which is Win2k<br>OS), and any new users added to Forest A do not appear in the Global Address<br>Book used by Forest B, and which was in the past shared by both forests - as<br>a result, Forest B can send no emails to new users in Forest A. <br><br>In addition, the 5.5 server in Forest B can no longer be seen or<br>administered by Forest A, even though there is an ADC between them.<br><br>Microsoft says that because Exchange 5.5 does not use AD and Exchange 2003 <br>does, there will no longer be any communication between the 5.5 server and<br>the 2003 server until Forest B migrates or upgrades to AD 2003 and Exchange<br>2003. Microsoft also said that if Forest A brings back the 5.5 server for<br>the sake of Forest B's upgrade or migration, that it still would not work.<br><br>Forest B has a new AD 2003 server that it wants to promote, and demote the<br>existing AD 2000 server.<br><br>After establishing an ADC between forests, Forest B has a new Exchange 2003 <br>server that it wants to introduce to its domain. Forest B is also<br>considering an inplace upgrade of its existing 5.5 server.<br><br>The issue is the preservation and move of the mailboxes without having to<br>PST them manually. If an Exchange 2003 environment cannot see an Exchange <br>5.5 server, how can we move the mailboxes?<br><br>Sorry for being long-winded... thanks for any help you can give<br><br><br><br><br>List info : <a href="http://www.activedir.org/List.aspx";>http://www.activedir.org/List.aspx </a><br>List FAQ : <a href="http://www.activedir.org/ListFAQ.aspx";>http://www.activedir.org/ListFA Q.aspx</a><br>List archive: <a href="http://www.activedir.org/ml/threads.aspx";>http://www.activedir.org/ml/ threads.aspx</a> <br></blockquote></div><br> ------=_Part_757_19584744.1149212231575-- --------------------------------------------------------- Subject: RE: [ActiveDir] Profile migration to new domain Date: Fri, 2 Jun 2006 11:44:39 +1000 From: "Molkentin, Steve" <[EMAIL PROTECTED]> Reply-To: [email protected] Jerry, I think without the trusts and using ADMT, you are going to be pushing it up a hill as far as the "easy" portion of this goes. Good luck and let us know what you end up doing... themolk. =20 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of=20 > Condra, Jerry W Mr HP > Sent: Friday, 2 June 2006 7:16 AM > To: [email protected] > Subject: [ActiveDir] Profile migration to new domain >=20 > Hi all > The environment I'm in has multiple domains and I've been given a task > to move about 40 users from one domain to another. There's no trust > between the source domain and mine and no plans to have one. Too much > red tape. My dilemma is trying to preserve the user's desktop profiles > when they come over to my domain. In the past there's been a trust > between any domain migrations I've performed which provides a host of > avenues but with no trust I'm not sure of a way to do it=20 > other than some > manual moves and permission/registry tweaks. However, doing=20 > that for 40 > users with a manual process is not my idea of fun. Saving=20 > their email is > covered so it's not an issue. Any ideas or methods would be welcomed. >=20 > Many thanks > =20 > Jerry=20 >=20 > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx >=20 --------------------------------------------------------- Date: Thu, 01 Jun 2006 18:47:58 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> Subject: Re: [ActiveDir] Profile migration to new domain Reply-To: [email protected] Well I nuked and paved a formerly Dell OEM now a retail OS.. and now can't get the NIC on the motherboard to find nic drivers....anyone for a black decorative doorstop until I find the driver it wants or throw a intel card in there? Small firms we a. don't have the proper license to nuke/pave/reimage b. may not have the proper media to restore (you get the lovely OEM view of 'restoration media') c. We're already running the kitchen sink service as it is and now you want us to RIS on that box as well? Geeze guys....(it can do it but we recommend you turn it on when you need it and turn it off otherwise Exchange isn't a real happy camper sharing mem space) Al Mulnick wrote: > Sorry ma'am. I should have completed my sentence and said, "..unless > Susan can post the step by step directions." > > Silly me for not proof reading first. > > I'd still opt for nuke and pave in that environment. Allows you to > have a known state, and last I checked that's kind of important to the > type of customer he has. > > Now he has more options. > > USMT would have been a thought except that there is no trust and no > reason to move the sid that I can think of. Same reason that moveuser > wouldn't really matter to me. I'd prefer the control of creating the > users as new users. In effect, they are new users (secprin's) anyway > - treat 'em that way. > > Susan offers a way to get the settings and magical icons though. > That's a nice touch an option if so taken. > > > On 6/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > Rip out a profile? Nuke and pave? > > Bite your tongue sir... we want that icon to be exactly right > THERE on > the desktop. > > file/transfer wiz in XP (but don't get docs..just do settings) > > > Download details: Windows Server 2003 Resource Kit Tools: > http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7- 96ee-b18c4790cffd&displaylang=en > <http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7 -96ee-b18c4790cffd&displaylang=en> > > Moveuser.exe > How to migrate user accounts: > http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f0 0-af87a63fd157.mspx > Moveuser - Move between domains: > http://www.ss64.com/nt/moveuser.html > <http://www.ss64.com/nt/moveuser.html> > > > *The Old Fashioned Way* > > Call it a lesson learned late on a Saturday night. This method was > used > in late January during the heat of a conversion battle by yours truly! > For this procedure, I assume that you are using a Windows XP > Professional workstation. > > 1. While the XP Pro workstation is still attached to the legacy SBS > 2000 network, copy the network profile down to the local hard > disk. So assuming you are logged on to said SBS 2000 network, > proceed to the next step. > > 2. Click Start>Control Panel>System>Advanced>User Profiles>Settings. > > 3. Highlight the network profile for the user. For example, NormH. > > 4. Select Copy To and direct the profile to copy to the local hard > disk. For example, C:\Temp. Click OK>OK. > > 5. From the Control Panel, launch Administrative Tools>Computer > Management. > > 6. Select System Tools>Local Users and Groups. > > 7. Select Users. > > 8. Right-click in the right-pane and select New User to add a user > named "Foo." > > 9. Double-click the user object and select the Profile tab to view > the properties for Foo. > > 10. In the Profile path field, point to the exact profile you copied > to C:\Temp in Step 4. Click OK. > > 11. Close all open applications, shut down the Windows XP Pro machine, > and move it physically to the new SBS 2003 network. Reboot and > relaunch the SBS Network Configuration Wizard. > > 12. Back on the screen to Assign users to this computer and migrate > their profiles, in the lower section, under the user name (for > example, NormH), click Current User Settings and select Foo. > Complete the steps for joining the workstation to the SBS 2003 > domain. The profile WILL be migrated! > > > *User Profile Registry* > > This method came in from M.J. Shoer ( [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>), who attended > the SMB Nation Summit in Boston in May. He writes: > > This method has worked for us without fail. We can retain the > complete profile customizations for a PC that was logged into one > domain and must now be logged into a new one. > > The method works for both Win2K and WinXP. It has also worked for > upgrading SBS 2000 to SBS 2003, where it is happening on the same > server, meaning that you have to reformat the SBS 2000 server and > load "freshie," as you would say, with SBS 2003. Here's how it > works. > > Once the SBS 2003 server is set up and the computers are set up on > the server side, log into the client PC and run the > connectcomputer > URL. When that step is completed, log in as the user. Then > immediately log off and log on as the domain administrator. > > Be sure the domain user account is in the local administrator's > group. Then open Registry Editor and navigate to > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. > You will see a listing for each SID. Within each SID key, you will > see an entry for ProfileImagePath with a path to the users profile > in the form of %SystemDrive%\Documents and Settings\UserName. > > The trick is to find the new key that was set up at logon to > the SBS > 2003 server and edit the path to refer back to the original > profile > path. So, for example, if you are migrating and changing domains, > you want to have a path like %SystemDrive%\Documents and > Settings\UserName.OldDomain. You then have a new SID key with a > path > like %SystemDrive%\Documents and Settings\UserName.NewDomain. You > can edit this key and replace NewDomain with OldDomain to point to > the old profile. > > In the case of a server migration within the same domain, you > have a > path to the effect of %SystemDrive%\Documents and > Settings\UserName.Domain and %SystemDrive%\Documents and > Settings\UserName.Domain.000. In this instance, you delete the .000 > to point back to the original profile. > > > *The MCSE Way* > > Then there are the grizzled MCSEs amongst us who pointedly highlight > using the Active Directory Migration Tool (ADMT). Details at > http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/admto ol.mspx > <http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/admt ool.mspx>). > Enough said! > > > > > Al Mulnick wrote: > > > Suggestions? More like a shot in the dark. :) > > > > Have you seen the transfer your settings wizard in XP? Have you > > checked to see what that can do for you? I suspect there will > be some > > scripting involved, because there will be no automated way to > > determine the source/target profiles programatically. You could > > migrate their settings etc, but there's no sid/sidhistory to > > reference. Not much point in getting that information either. > There's > > also the permissions issues etc. > > > > Was it me, I'd suggest taking this opportunity to re-image the > > workstations in question. Cleaner, neater, more secure, and no > > lingering issues to deal with. > > > > Al > > > > > > On 6/1/06, *Condra, Jerry W Mr HP* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > <mailto: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>>> wrote: > > > > Hi all > > The environment I'm in has multiple domains and I've been > given a task > > to move about 40 users from one domain to another. There's > no trust > > between the source domain and mine and no plans to have one. > Too much > > red tape. My dilemma is trying to preserve the user's > desktop profiles > > when they come over to my domain. In the past there's been a > trust > > between any domain migrations I've performed which provides > a host of > > avenues but with no trust I'm not sure of a way to do it other > > than some > > manual moves and permission/registry tweaks. However, doing > that > > for 40 > > users with a manual process is not my idea of fun. Saving their > > email is > > covered so it's not an issue. Any ideas or methods would be > welcomed. > > > > Many thanks > > > > Jerry > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > <http://www.activedir.org/ListFAQ.aspx> > > List archive: http://www.activedir.org/ml/threads.aspx > > <http://www.activedir.org/ml/threads.aspx > <http://www.activedir.org/ml/threads.aspx>> > > > > > > -- > Letting your vendors set your risk analysis these days? > http://www.threatcode.com > The SBS product team wants to hear from you: > http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx --------------------------------------------------------- Date: Thu, 01 Jun 2006 21:52:16 -0500 From: Al Lilianstrom <[EMAIL PROTECTED]> Subject: Re: [ActiveDir] New DC can't find the machine account Reply-To: [email protected] [EMAIL PROTECTED] wrote: > Mark: why would this be "expected"? > Al: Who is doing DNS for this DC in question? If you ping a domain resource > from that DNS server, does it resolve correctly? Deji, DNS for this test domain is provided by our datacom people. It's Lucent's QIP server on a old slow NT box. According to the guy who manages it he's a couple of major releases behind on the software. We're also seeing some other issues with machines in the child domain to this domain having problems registering their DNS records. Machines Existing DCs can be resolved and accessed - which confuses me with the netlogon pausing as the DC when booting should, in my mind, query the other dc for it's account information - not itself. al > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Mark Parris > Sent: Thu 6/1/2006 7:11 AM > To: ActiveDir.org > Subject: Re: [ActiveDir] New DC can't find the machine account > > > > Did you see my post last night - this is expected behaviour? > -----Original Message----- > From: Al Lilianstrom <[EMAIL PROTECTED]> > Date: Thu, 01 Jun 2006 08:13:20 > To:[email protected] > Subject: Re: [ActiveDir] New DC can't find the machine account > > [EMAIL PROTECTED] wrote: >> I bet you one crate to a bottle of German beer that your DNS is out to > lunch. >> Every time when I've seen this, it always goes away by kicking a DNS server >> somewhere. Check your DNS servers. > > I talked to the networking people and the DNS server that is used for > our test domains is a couple of major releases out of date and running > on really crap hardware. > > Building him a new server... > > Thanks for all the help. > > al > >> Sincerely, >> _____ >> (, / | /) /) /) >> /---| (/_ ______ ___// _ // _ >> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ >> (_/ /) >> (/ >> Microsoft MVP - Directory Services >> www.readymaids.com <http://www.readymaids.com> - we know IT >> www.akomolafe.com <http://www.akomolafe.com> >> Do you now realize that Today is the Tomorrow you were worried about >> Yesterday? -anon >> >> >> ________________________________ >> >> From: [EMAIL PROTECTED] on behalf of Al Lilianstrom >> Sent: Wed 5/31/2006 7:53 AM >> To: [email protected] >> Subject: Re: [ActiveDir] New DC can't find the machine account >> >> >> >> Almeida Pinto, Jorge de wrote: >>> see if the following helps: >>> > http://www.eventid.net/display.asp?eventid=1097&eventno=2126&source=Userenv&; p >> hase=1 >> >> I had run across that page last night. >> >> Time is ok (ntp to local time source) >> I don't think that both computer accounts are corrupt as they were ok as >> simple servers >> I enabled debug logging for the netlogon service and at the same time I >> get the userenv events I get >> >> 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: >> Netlogon is paused on the server. 0x14 >> >> al >> >>> Met vriendelijke groeten / Kind regards, >>> Ing. Jorge de Almeida Pinto >>> Senior Infrastructure Consultant >>> MVP Windows Server - Directory Services >>> >>> LogicaCMG Nederland B.V. (BU RTINC Eindhoven) >>> ( Tel : +31-(0)40-29.57.777 >>> ( Mobile : +31-(0)6-26.26.62.80 >>> * E-mail : <see sender address> >>> >>> ________________________________ >>> >>> From: [EMAIL PROTECTED] on behalf of Al Lilianstrom >>> Sent: Wed 2006-05-31 15:37 >>> To: [email protected] >>> Subject: [ActiveDir] New DC can't find the machine account >>> >>> >>> >>> Hi, >>> >>> I have a Windows 2000 based AD (empty root with 1 child domain) that I'm >>> in the process of upgrading to w2003r2 as a test for our production >>> domain (same configuration). The adprep went fine as well as the dcpromo >>> of the new DC. However when the new DC reboots I get the following >>> messages in the application log: >>> >>> EVENT TYPE Error >>> SOURCE Userenv >>> EVENT ID 1097 >>> Windows cannot find the machine account, The Local Security Authority >>> cannot be contacted . >>> >>> and >>> >>> EVENT TYPE Error >>> SOURCE Userenv >>> EVENT ID 1030 >>> Windows cannot query for the list of Group Policy objects. Check the >>> event log for possible messages previously logged by the policy engine >>> that describes the reason for this. >>> >>> Neither system has these messages when they were simple servers in the >>> domain. They were rebooted several times before becoming DCs to make >>> sure the event logs were clean. >>> >>> They seem to be functioning as DCs. File replication with the orginal >>> w2k dc took a long time to start up. >>> >>> I added a second w2k3 r2 DC and it is showing the exact same messages. >>> Both machines were created from the same sysprep image - the machine >>> that was built as the basis for the sysprep image was never in the domain. >>> >>> I've been searching Microsoft and came up with one or two applicable >>> docs. One said to make sure that services like netlogon were set to >>> automatic (it is). Another had settings for enabling debug on the >>> netlogon service which I implemented. All that I see in there is >>> netlogon pausing. >>> >>> Any ideas? >>> >>> al >>> -- List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
