This article describes the steps I took when we decided to merge to sister companies into one domain. I have, in the past, used the Active Directory Migration Tool. The ADMT, currently at version 3.0 “provides an integrated toolset to facilitate migration and restructuring tasks in an Active Directory infrastructure”. It works great and has loads of guidance on how to go about the daunting task of migrating 200 users from an NT 4 domain to Active Directory, merging domains or restructuring numerous sub-domains. However, it involves a lot of planning and background fiddling to get it working. In my current situation I needed to migrate only 20 users to our main domain so I didn’t really want the hassle of reading through the mammoth migration guide. Neither did I want to add everybody one by one. Therefore, I created the following method that did everything I needed as quickly as possible, without making my brain hurt 🙂
Before I go through everything I should point out that the 2 domains are both on the same site and they have a full two-way trust. We’ll call the smaller domain mini.lan and the bigger domain company.lan
Step 1 – Migrating Users
We want to recreate the 20 users in the new domain. The easiest way to do this is to export the current users with the relevant info as a CSV file.
- Creating a search query in AD Users & Computers to include all of the relevant users across all Organisational Units (OUs).
- Add the necessary columns to the view
- Use the “Export List” menu option to save that as a CSV
- When the CSV is created you can use this great free app called Active User Manager to batch import the users from the CSV into the AD of company.lan. Using a simple wizard
- Once the users have been imported to company.lan’s AD move them to the relevant OUs and assign/create any groups they were a part of.
Step 2 – Migrate Group Policy Objects
The Group Policy Management Console (GPMC) allows you to migrate/copy/paste/drag’n’drop policies between domains.
If you have any specific links to folders on a mini.lan DC it will require a migration table as part of the copying wizard. These are basically a text document that will say something like instead of \miniDCSharesMyDocs use \ComanyDCSharesMyDocs.
Once the policy has been migrated, it is stored in the “Group Policy Objects” folder within GPMC. You will need to link the policy to the appropriate OU.
WARNING: Migration tables will be unaware of any locations inside login scripts, batch files etc. Now would be an ideal time to use Group Policy Preferences (GPPs) to map drives, printers etc. and get rid of logon scripts altogether. If you don’t have the time to get involved with GPPs (even though they are amazing and powerful and simple) then just make sure you update scripts to use any new locations
Step 3 – Migrate Files & Set Permissions
You have a few options for this stage. The end goal is to move all of the files from dc.mini.lan to dc.company.lan. You could use Microsoft DFS-Replication or Xcopy/RoboCopy or you could just use Windows Explorer to move the files across. This really depends on your situation and if the clients need constant access to the files or not. In my case, I just moved folders at a time and made sure the permissions were set correctly at the same time as moving the computer accounts (see step below).
Step 4 – Migrate Computer Accounts & Local User Profiles
This stage is probably the longest as it involves going physically (or remotely) to each computer and joinging the PC to the new domain. One of the problems with this is that a user’s local profile will be recreated the first time they log in to the new domain. Although “My Documents” folders are redirected to the company.lan file server there are often lots of local settings, app data, Outlook profiles etc. that aren’t. Luckily we can use another free tool, ForensiT’s User Profile Wizard, to do both steps in one, i.e. join the computer to company.lan and re-map a user’s old local profile Security ID/ACL to the new SID. Just go through the wizard and choose the user folder that needs remapping. The is also an enterprise version that you can buy with loads of extra features but the free edition works fine for what we needed to do.
Step 5 – Decommission Old Domain Controller
At this stage you should be able to use the mini.lan DC for something else, either a secondary DC for the new domain or perhaps a file server or whatever else you want.
To be on the safe side you may just want to shut the server down for a couple of days before you repurpose it. That way, if anything has gone wrong you can keep the old domain still running.
You will need to run DCPromo from the command line to demote the DC to a normal member server. You can also remove the DC role through the” “Configure Your Server” wizard or Server Manager.
I hope that this helps some of you out there. I’d like to stress the importance of having a proper plan in place and communicating with the users about the changes going on in the background.
By merging these two domains we have reduced loads of time spent managing both of them, often including lots of unnecessary duplication, therefore saving us time better spent on other things
P.S. this is the first time I have done Screencasts so let me know if you think they are useful. I didn’t commentate over them as I didn’t have the time but I think they more or less speak for themselves. I used a great bit of open source freeware called CamStudio to create them.