Our company is planning on moving from a single forest with multiple domains to a single forest with a single domain.

This is my infrastructure:

Forest Root

ROOT-DC.techtunes.lan
ROOT-ADC.techtunes.lan
ROOT-ADC2.techtunes.lan

SITES:

Cambridge

dc1cam.cambrdige.techtunes.lan
adc1cam.cambrdige.techtunes.lan

Oxford

dc1oxf.oxford.techtunes.lan
adc1oxf.oxford.techtunes.lan

Karachi

dc1khi.karachi.techtunes.lan
adc1khi.karachi.techtunes.lan

Now, we are planning to move our child domains on root-dc.techtunes.lan then we will create separate OU for each site and also place Global Catalogs on each site for backup purposes.

I have read that the Active Directory Migration Tool v3.2 is an important tool to migrate our users, but I have some questions about it.

What happens with users whose names are duplicated in each domain? For example: one user named abc is in Cambridge and also in Karachi. What happens when we move both acb accounts to a single domain?

What about other services like DHCP and DNS? We want to run DHCP locally at each site.

I'd appreciate answers on how to proceed.


Solution 1:

You'll definitely want to use the ADMT for this process. The version you use will be dependent on what systems you need to migrate. For example, if you need to migrate Windows 7/ or server 2008 R2 machines, you will need to run ADMT v3.2 which can only be run on a Server 2008 R2 install. If you have no Server 2008 / 2008 R2 / Windows vista / Windows 7 machines, you can use ADMT v3.0 which can be installed on Server 2003.

As Mark pointed out you can't use ADMT to migrate a DC. You'll want to start out your migrations by DCpromo'ing out one DC at the site you are migrating. When that is completed and fully replicate throughout your topology (replmon.exe is good for checking this), you can then use ADMT to migrate the server. Once it has completed migrating, you can then DCpromo it into the Root Domain.

DNS should be installed on the DCs, if not already, and AD will replicate your AD-I zones (root domain zone) to the DCs added to your root domain. You will need to re-authorize you DHCP servers once they are migrated over to the root domain (needs an account with Enterprise admin privileges).

I have found the following migration order to work well for me:

  1. Migrate Groups
  2. Migrate Users (rename the conflicts before migrating, it will save you a hassle)
  3. ADMT will set your users to change password at next log on after migrating
    1. If you don't want them to have to change the passwords, set each user to not have to change.
  4. DCpromo out one DC, Migrate, DCPromo into new Domain
  5. Migrate any other File, and Application servers (be sure to plan for the impact on applications and verify with Vendors on changes that need to be made).
  6. Migrate PCs
  7. DCpromo out 2nd DC, migrate, DCpromo into new Domain

With proper planning the impact on users should be extremely minimal. I have done migrations of full sites of 100+ PCs, and servers in a maintenance window of around 6-8 hours.

There are other things that you will need to consider like using the Password Export Service to migrate passwords.