SG Windows IT Pro Group

Hi guys,

I need your help as I quite confuesd on the migration of DC.

I have a one current DC name sg.company. The role of sg.company is DHCP, DNS, FS, DFS. All share folder are sitting in local C and D drive. Now, the company decided to get other new server, and this new server will be a MAIN DC name, company.local. But this new server will be on other location and the current server will be joining to this new DC.

Now if the current server depromo, and join as addition DC name company.local. Will the users profile be affected? Is they other waynot affected the user? Mean user logginng to their system will be still on the same profile.

And how about the share permission folder? Do I have to reassign all the folder permission again? Pls advise the steps. thanks

Forgot to mention, all the server is running on window server 2008.

Hi Cedric,

Why do you need to create a new domain from scratch? If you really have to change the domain name to company.local for whatever reason, you can consider domain rename which will help you minimize effect to user. (Refer to following link for more information about domain rename http://technet.microsoft.com/en-us/library/cc816848(WS.10).aspx).

If for any reason you have to create a new domain from scratch and demote current DC and join it to the new domain, then you will have to first migrate your existing AD resources (user & computer accounts etc) to new domain. There is a tool call Active Directory Migration Tool which can help you to migrate user and computer profile and allow them to retain access to their share folder.  (http://www.microsoft.com/downloads/info.aspx?na=47&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=6f86937b-533a-466d-a8e8-aff85ad3d212&u=details.aspx%3ffamilyid%3dAE279D01-7DCA-413C-A9D2-B42DFB746059%26displaylang%3den).

New DC at another site?  Both sites need to be connected together by VPN or site to site (rarely done nowadays).

Make sure the IP address at the other site is in another subnet.  for example site a 10.10.10.x, site b 10.10.11.x

Thanks, another question. i need to also seize the FSMO. Do i depromo the current server then dcpromo the current server to join the new domian , then seize the FSMO or before depromo the current server, i need to sezie the FSMO? which way???

Correct me if i am wrong, I should not depromo the current server and should use the ADMT tool to migrate the AD user, then seize the FSMO role, follow by depromo the current server and dcpromo it again to be a addition DC to the new DC.

If your existing DC is still online, just transfer the FSMO role to the new DC. No need to seize.

You can refer to following link for steps to transfer FSMO role:

• Transfer the Schema Master
  
• Transfer the Domain Naming Master
  
• Transfer the Domain-Level Operations Master Roles

BTW, please go through following article on Decommissioning of DC:

http://technet.microsoft.com/en-us/library/cc816644(WS.10).aspx

Anyway, if the new DC is in the same AD domain and you are talking about transfering FSMO role to new DC, you don't need to think about using ADMT to migrate AD user. When you promote the new server as domain controller of the existing domain controller, it will hold a copy of your AD database. So, it will retain all your AD accounts and objects even after you demote your existing DC.

Cedric, based on the questions posed, I would advised reading up on DC before doing any work.

1. You must always have 1 DC up and running or the users cannot login.
My rule is 2 for 50 users, 1 dedicated, 1 dual use.  >50 compulsary 2.  Every site with more than 10users 1 DC.  Contary to popular belief propagated by sales, you can use a PC as a DC.  Just make sure you have at least 1 DC on a good server.

2. You have one domain. ADMT does not apply. In fact I don't recommend anyone to use ADMT.  This is only use when you company is splitting or acquiring.  Both are usually very traumatic for support personnel.

3. Always install Windows support tools, it can at a glance tell you who is holding the roles or missing.

Hi Thanks for all your reply. I believe I will need to use ADMT too. Coz we have one forest with three different parent domain. Example: .com.local is our root domain. and my company is ABC.com.local and other company is CBD.com.local. Now these company gonna split and I have to remove the .com.local. So I need to bring my current domain out of this .com.local and to a new forest called ABC.local instead. However, if I used these mentod, the ADMT tools can help to migrate the users profile to new domain? As we have 300 users, I dont want to go every PCs and migrated their profile to the new domain. How can this be done? Using ADMT can help? so when the server has been migrated to abc.local . the user start their PC and login , will go straight to abc.local instead of abc.com.local. As well as their email. I hope I explain very clear.

Pls advise.

thanks

Moving com.local to abc.local.
1. Setup a new domain abc.local
2. Trusts
3. Run ADMT (This is done at the server)
a. ADMT will move the AD user and computer objects to the new domain.
b. ADMT will migrate the profiles on the user computers to the new domain profiles.

4. Reboot the user computer and login to the new domain.  This is a local action.
 para 3 and 4 can be done big bang or batched.

Interoperability issues
i. File server
ii. Sharepoint server
iii. Mail server.  This is another long topic.  If new server, just export and import.  If Exchange 2007, it is a PITA.

Performance
ADMT has a success rate of 80% for the computer objects.  Those 20% just reset, unjoin and rejoin.  Exchange import and export, IIRC takes about 4GB/hr.  Local admin password of all computers is critical.

Have fun.