0

We have a forest SiteA

We have child domains SiteB SiteC SiteD

We have a few users who are on SiteB and need to be migrated over to SiteC.

We used to be setup like SiteB.Comapnyname.local\USERNAME for login. But we are are moving to Office 365, users have been moved to firstname.lastname@comapnyname.com

Before i would just make the same users domain on Domain SiteC the same as SiteB.

I cant do this now as the firstname.lastname@companyname.com login already exists so i cant make it on the other domains.

I have Server 2012 on SiteB and Server 2008 on SiteC

Is there a way i can migrate from SiteB to SiteC ??

I have read about ADMT but doesnt work on 2012 and 2008 as far as i can tell.... any suggestions?

RedPacketSecurity
  • 11
  • 1
  • 1
  • 6
    Wow. You're just doing this so wrong, it might not be possible to untangle. [For starters, Active Directory contains objects called sites](http://serverfault.com/a/570486/118258). You should probably be using sites for your sites, and not domains. I would start by fixing/replacing/migrating your existing domain tangle to a setup that has it being done right. – HopelessN00b Mar 19 '14 at 15:34

3 Answers3

3

From what you're describing you really, really, REALLY need to rearchitect your AD design.

Like HopelessN00b pointed out, Active Directory has a concept of a "site", which is the correct logical representation of sites within the same company (domain of control). Your AD should also be properly scoped (as ad.mycompany.com or something similar).

Properly using sites and a subdomain for AD means that your users don't have to have (and manage) multiple accounts for each site (I'm shocked that your users are putting up with that), nor do you have to create new user accounts when people move from one site to another or deal with potential naming conflicts on your external (public) domain - the users' credentials are unique within your AD domain, and work everywhere within the domain so everyone is happy.

Restructuring your domain is going to be a lot of work. I suggest you hire a consultant with AD experience to help you do it right.
In the interim I'm afraid I don't know of any supported way to do what you're asking in terms of account-shuffling, but maybe someone else with more recent Windows experience can chime in with a suggestion.

Community
  • 1
voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 1
    it is set as is, and my manager wants it kept that way so i dont have the option of re-jigging the AD structure. They are child domains as they are different companies under one forest. On a MPLS network. – RedPacketSecurity Mar 19 '14 at 15:55
2

I have read about ADMT but doesnt work on 2012 and 2008 as far as i can tell.... any suggestions?

This is no longer the case. You can install the latest ADMT 3.2 and PES 3.1 bits on 2012 and 2012 R2 as well as migrating to 2012/2012 R2 based domains with it. This is your tool of choice.

That said, as @voretaq7 has pointed out, you seem to have larger architectural challenges that should be addressed beforehand, but once you do settle on how you'd like to restructure, ADMT is capable.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
-3

UPDATED You can now run ADMT 3.2 ON server 2012 and 2012 R2

You are right that ADMT 3.2 and PES 3.1 cannot be installed on a Windows Server 2012 box; however, you can install a Windows Server 2008 R2 domain controller (and still run 2008 forest functional level) in SiteC and run ADMT 3.2 from there. ADMT is ran from the target domain, not the source. Next, install a Windows Server 2008 R2 in SiteB (source) and promote it to a domain controller. Install PES 3.1 on this box. If the forest functional level in SiteB is 2012, then downgrade it to 2008 R2, then upgrade it back to 2012 after the migration. If you're not migrating passwords, you don't need to install PES at all.

When you migrate to a Windows Server 2012 domain, install ADMT 3.2 on a Windows Server 2008 R2 server that can operate as the migration computer. You have to have a Windows Server 2008 R2 domain controller in the target environment.

Note If you already specified a Windows Server 2012 domain functional level, and you want the ADMT server to be a domain controller, you can lower the forest and domain functional level by using Windows PowerShell commands. For example, you can use commands that resemble the following:

Set-AdForestMode -identity contoso.com -forestmode Windows2008R2Forest
Set-AdDomainMode -identity contoso.com -domainmode Windows2008R2Domain

Windows Server 2012 implements only one feature, Dynamic Access Control, that has a Windows Server 2012 domain functional level requirement when the Windows Server 2012 domain is configured always to provide claims from all domain controllers. If you do not use this feature, you can lower the functional levels to support previous operating system domain controllers for ADMT migrations. When the migration is complete, you can raise the domain and forest functional levels back to Windows Server 2012.

Supported Operating System Windows Server 2008 R2 ADMT can be installed on any computer capable of running the Windows Server 2008 R2 operating system, unless they are Read-Only domain controllers or in a Server Core configuration. Target domain: The target domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 Source domain: The source domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 The ADMT agent, installed by ADMT on computers in the source domains, can operate on computers running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Sources:

Personal experience

http://support.microsoft.com/kb/2753560

http://www.microsoft.com/en-us/download/details.aspx?id=8377

Travis Runyard
  • 1
  • 2
  • 1
    This is not true. The latest version of ADMT fully supports Server 2012 and 2012 R2, as does PES. The versions did not get a bump, but the current downloads for each are supported. – MDMarra Aug 01 '14 at 02:33
  • This is bull crap that they updated ADMT without incrementing the version number. – Travis Runyard Aug 02 '14 at 16:45