Discussion:
ADMT limitations?
(too old to reply)
Pat Woods
2007-02-06 21:50:42 UTC
Permalink
I have 1 empty root and 3 child domains in a Windows 2003 domain. We are
currently attempting to migrate all objects from the child domains to the
empty root. ADMT 3 appears not to have the option to disable or leave the
source accounts intact by design. Could this be right? Just because it is
a Inter-forest migration it's is being considered a move. We have
successfully migrated 2 other Windows 2003 domains outside this forest to
the parent and the option was availiable. Maybe I am missing something
here? I would much rather disable the source accounts than remove them.
Seems a bit risky. Please help!!

Thanks,
Pat
Herb Martin
2007-02-06 22:18:52 UTC
Permalink
Post by Pat Woods
I have 1 empty root and 3 child domains in a Windows 2003 domain. We are
currently attempting to migrate all objects from the child domains to the
empty root. ADMT 3 appears not to have the option to disable or leave the
source accounts intact by design. Could this be right? Just because it is
a Inter-forest migration it's is being considered a move.
Yes, otherwise (with SID history) you would have TWO users who have the
same SID. One in the old domain and one that was migrated.

Bad thing.
Post by Pat Woods
We have successfully migrated 2 other Windows 2003 domains outside this
forest to the parent and the option was availiable.
The assumption is that from outside the forest there is no (active) resource
access.
Post by Pat Woods
Maybe I am missing something here? I would much rather disable the source
accounts than remove them. Seems a bit risky. Please help!!
Make a backup first -- System State backup.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Paul Williams [MVP]
2007-02-06 22:23:51 UTC
Permalink
You're performing an intra-forest migration. An inter-forest migration is a
copy operation from an external domain.

When you perform an intra-forest migration the cross-domain (xdom) move
algorithm is used, instead of copying, this means the GUID is preserved.
The underlying mechanisms are different, which is why you can't leave
disabled objects behind. You can rollback the operation though.

Note. SID History is always implemented, passwords are retained, and
profiles should be migrated automatically, as they're tied to GUID.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...