162 lines
11 KiB
HTML
162 lines
11 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
|
||
|
"http://www.w3.org/TR/REC-html40/strict.dtd">
|
||
|
<HTML DIR="LTR">
|
||
|
<HEAD>
|
||
|
<TITLE>Perform an interforest resource domain migration</TITLE>
|
||
|
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
|
||
|
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">
|
||
|
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
|
||
|
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
|
||
|
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
|
||
|
<META NAME="MS.LOCALE" CONTENT="EN-US">
|
||
|
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
|
||
|
<META NAME="MS-HAID" CONTENT="a_ADMTInterforestResMig">
|
||
|
</HEAD>
|
||
|
<BODY>
|
||
|
|
||
|
|
||
|
|
||
|
<P CLASS="procLabel">To perform an interforest resource domain migration</P>
|
||
|
<OL>
|
||
|
<LI>Establish trusts between domains using the Trust Migration Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
|
||
|
<LI>You may also need to use <B>Active Directory Domains and Trusts</B> to manually create trusts between the source and target domain. Migrate the trusts before you migrate user accounts, service accounts, or local groups.</LI>
|
||
|
|
||
|
<LI>For details about creating trusts between domains, see Windows 2000 Server Help and the Windows NT product documentation.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Identify service accounts not running under local system authority using the Service Account Migration Wizard.</LI>
|
||
|
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>Active Directory Migration Tool cannot determine if a particular user account is used by one or more services. If any user accounts in the source domain are used to allow services to log on, you must run the Service Account Migration Wizard and select any servers that are running service accounts. Then, the Active Directory Migration Tool can build a list of the service accounts to be migrated before you run the User Migration Wizard.</LI>
|
||
|
|
||
|
<LI>Many applications, including Exchange Server 5.5, use service account mappings that Active Directory Migration Tool cannot change. These service accounts usually require configuration through registry settings or from within the application itself. You must manually update these accounts after the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=DomainMigration">domain migration</A> is complete.</LI>
|
||
|
|
||
|
<LI>When asked for user account credentials, use credentials with Administrator rights on the specific computer that is using the service accounts.</LI>
|
||
|
|
||
|
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Migrate workstations and member servers using the Computer Migration Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>At this time, you can choose to migrate the local profiles of previously migrated accounts from the same domain as the computer that will be translated. To translate previously migrated accounts from other domains, use the Security Translation Wizard and select each of the domains.</LI>
|
||
|
|
||
|
<LI>When migrating computer accounts from Windows NT domains, Active Directory Migration Tool will not migrate computer descriptions because the computer description attribute is not stored in the Windows NT domain security account manager. The description is stored on the local computer. Active Directory Migration Tool will migrate nonnull computer descriptions from computer accounts in Windows 2000 source domains.</LI>
|
||
|
|
||
|
<LI>The Computer Migration Wizard dispatches an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=Agent">agent</A> to each computer being migrated. The agent restarts each computer after the computers join the target domain. Verify that the default startup menu option on the migrated computers is the migrated Windows NT or Windows 2000 installation.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Migrate local profiles using the Security Translation Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>On the <B>Translate Objects</B> wizard page, select <B>User Profiles</B>.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SharedLocalGroup">shared local groups</A> using the Group Migration Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>On the <B>Group Options</B> wizard page, ensure that <B>Migrate group SIDs to target domain</B> and <B>Do not rename accounts</B> are the only options selected.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Migrate service accounts using the User Migration Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>Service accounts are user accounts used to run services on servers with a set of credentials other than local system authority. These accounts may exist both in a master account domain and in the same resource domain as the server. If the service account is in an account domain, this procedure would be completed by selecting the account domain as the source domain.</LI>
|
||
|
|
||
|
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Update service account user rights using the Security Translation Wizard.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>Select the computers in the source domain from which to translate the user rights. When selecting the source domain, select the domain of the service accounts, not the domain of the computer on which the service accounts are running.</LI>
|
||
|
|
||
|
<LI>On the <B>Translate Objects</B> wizard page, select <B>Local groups</B> and <B>User rights</B>.</LI>
|
||
|
|
||
|
<LI>On the <B>User Account</B> wizard page, type the name of an account with Administrator permissions in the target domain.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Manually move domain controllers into the resource domain.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
|
||
|
<LI>Active Directory Migration Tool can not change the domain affiliation of Windows NT primary domain controllers (PDCs) and backup domain controllers (BDCs) or Windows 2000 domain controllers. PDCs, BDCs, and Windows 2000 domain controllers must be migrated manually. Do not use the Computer Migration Tool to migrate domain controllers. However, you can use all of the other Active Directory Migration Tool wizards on all domain controllers.</LI>
|
||
|
|
||
|
|
||
|
<LI>If the source domain is a Windows NT domain, upgrade the domain controllers to Windows 2000 beginning with the primary domain controller. The Active Directory Installation Wizard will run automatically as part of the upgrade process. When the upgrade is complete, demote the domain controller to a member server and then join the target domain.</LI>
|
||
|
|
||
|
<LI>If the source domain is a Windows 2000 domain, demote the domain controllers and join them to the target domain.</LI>
|
||
|
|
||
|
<LI>After a successful move operation, you should check the user access to resources on the computer that was moved. It may be necessary to run the Security Translation Wizard again on the moved computers to correct the local permissions.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Decommission the source account domain.</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
<LI>When the migration process is complete, the source account domain can be decommissioned. At this time, the domain will cease to exist.</LI>
|
||
|
|
||
|
<LI>Remove all trusts between this domain and all other domains.</LI>
|
||
|
|
||
|
<LI> For information about decommissioning a Windows NT domain, see the Windows NT product documentation.</LI>
|
||
|
<LI>For information about decommissioning a Windows 2000 domain, see Windows 2000 Server Help.</LI>
|
||
|
</UL></DIV>
|
||
|
|
||
|
<LI>Decommission the source resource domain</LI>
|
||
|
<P><A ID="expand" HREF="#" CLASS="expandToggle">More information</A></P>
|
||
|
<DIV CLASS="expand">
|
||
|
<UL>
|
||
|
<LI>When the migration process is complete, the source resource domain can be decommissioned. At this time, the domain will cease to exist.</LI>
|
||
|
|
||
|
<LI>Remove all trusts between this domain and all other domains.</LI>
|
||
|
|
||
|
<LI> For information about decommissioning a Windows NT domain, see the Windows NT product documentation.</LI>
|
||
|
<LI>For information about decommissioning a Windows 2000 domain, see Windows 2000 Server Help.</LI>
|
||
|
</UL></DIV>
|
||
|
</OL>
|
||
|
<P class="important">Important</P>
|
||
|
<UL>
|
||
|
<LI>When performing an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=InterforestMigration"> interforest migration</A>, first migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=AccountDomain">account domains</A>, and then migrate <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domains</A>.</LI>
|
||
|
<LI>Run the wizards in the order listed for best results.</LI>
|
||
|
|
||
|
</UL>
|
||
|
|
||
|
<P CLASS="note">Notes</P>
|
||
|
<UL>
|
||
|
|
||
|
<LI>When running the Service Account Wizard or Computer Migration Wizard, you must be logged on to the <I>source domain</I> as an administrator or member of the Administrators group.</LI>
|
||
|
|
||
|
<LI>When running the User Migration Wizard, Group Migration Wizard, or Security Migration Wizard, you must be logged on to the <I>target domain</I> as an administrator or member of the Administrators group.</LI>
|
||
|
|
||
|
<LI>The target domain must trust all domains that are trusted by the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A> and that contain accounts that are members of local groups you migrate from the source domain. The Trust Migration Wizard allows you to compare and create the source and target domain trusts.</LI>
|
||
|
|
||
|
<LI>During the migration process, this tool truncates service account names that are more than 20 characters long.</LI>
|
||
|
|
||
|
<LI>When migrating a user, group, or computer account that exists in both the source and target domains, if the account in the target domain already has a value for a particular property and the account in the source domain does not have a value for that property, the value of the property in the target domain will be preserved. It will not be overwritten by the null-value of the property in the source domain.</LI>
|
||
|
</UL>
|
||
|
|
||
|
<P><A ID="relTopics" HREF="CHM=DomainMig.chm META=a_admtchkbeforeusing; a_ADMTBestPractices; a_ADMTRunWizard; a_ADMTInterforestResMig; a_admtbeforeintermig; a_admtunderstandtrust; a_TasksRetry; a_TasksUndoLast; a_ADMTOverview; a_ADMTUnderstandMigration; a_ADMTInterforestMig; a_ConceptDomMigSecurityIssues; a_ConceptSecurityTranslationIssues; a_conceptmigratingusersgroup; a_ConceptMigratingComputers; a_ADMTUnderstandTrust; a_ADMTSystemReq; a_ADMTBeforeInterMig">Related Topics</A></P>
|
||
|
|
||
|
</BODY>
|
||
|
</HTML>
|
||
|
|