Resource Kit Tools for Migrating Domains

1
Resource Kit Tools for Migrating Domains

• Jack Schmidt
• HEPNT/HEPIX Fall 1999

2
Guidelines

• If you have a large number of domains, merge at
  least some before W2000 Upgrade
• Define when you will have the most resources
• Before Considerations
• SAM - dont exceed 40MB and plan on increased SAM
  replication traffic
• Political Issues
• If you have a multipurpose PDC consider merging
  before W2000 Upgrade
• After Considerations
• Consider moving applications and services from
  domain controllers to member servers
• If you have single purpose DCs with apps and
  file services on member servers then consider
  waiting

3
Before Suggestions
Target A
Source B
Source C
A trusts B, B trusts C, A does not trust
C Directory plan calls for B and C to be part of
A. Collapse C into B, then B in to A
4
Before Suggestions
Target
Source
PDC IIS FILES
PDC

• Combine IIS Servers
• Combine File Sharing
• Shutdown PDC

IIS
FILES
5
After Suggestions
W2000 Domain
NT4 Domain
DC
PDC
FILES
IIS
IIS

• IIS Server simply joins W2000 Domain
• Shutdown NT4 PDC

6
Before Suggested Steps

• Migrate user accounts
• Migrate global groups
• Update local group memberships
• Update permissions
• Update user rights
• Migrate computer accounts
• Move domain controllers
• Move member servers
• Move workstations

7
Useful NT4 Resource Kit Tools

• ADDUSERS.EXE - command line tool to create,
  delete, and modify users, global groups and local
  groups.
• NTRIGHTS.EXE command line tool to modify user
  rights.
• NETDOM.EXE command line tool to manage NT
  domains.
• SHUTDOWN.EXE command line tool to remotely
  shutdown or reboot an NT computer.

8
Useful W2000 Resource Kit Tools

• SIDWalker Tools found on the W2000 Resource kit
  (Technet CD NT4 Resource Kit Utilities). Can be
  run on W2000 or NT4!
• Consists of
• SHOWACCS.EXE command line tool to create two
  files
• access-profile file which lists all permissions
  for a computers files, shares, printers, local
  groups and registry.
• Mappings file which lists users and groups which
  appear in the computers ACLs
• Security Migration Editor- MMC snap-in that maps
  old users and groups from a mappings file to new
  users and groups. Ability to save changes to
  mappings file
• SIDWALK.EXE uses updated mappings file to
  delete or replace SIDs on a computer.

9
User Accounts

• Goal- Create users in target domain for each
  account in source domain.
• Use ADDUSERS.EXE to dump users and groups to a
  file
• Addusers.exe \\ sourcedc /d filename
• Remove Local and Global sections from file.
• Compare accounts in file to accounts in target
  domain- resolve identical accounts by changing
  username in source domain
• Use ADDUSERS.EXE to create accounts in target
  domain
• Addusers.exe \\ targetdc /c filename
• Note password properties are left blank! Most
  other properties will transfer from source domain

10
Global Groups

• Goal- Create global groups in target domain for
  each global group in source domain.
• Use ADDUSERS.EXE to dump users and groups to a
  file
• Addusers.exe \\sourcedc /d filename
• Remove Local and Users sections from file.
• Edit file and change source domain name with
  target domain name
• Compare global groups in file to global groups in
  target domain- resolve identical groups by
  changing group in source domain
• Use ADDUSERS.EXE to create global groups in
  target domain
• Addusers.exe \\targetdc /c filename

11
Local Groups

• Goal- Add users and global groups from target
  domain to source domain. Must update local groups
  to preserve access on any computer ((DC, member
  server, workstations) that will move to the
  target domain
• Use ADDUSERS.EXE to dump users and groups to a
  file on each machine that will move
• Addusers.exe \\sourcedc /d filename
• (if you have 20 systems then you should have 20
  files)
• Remove Users and Global sections from each file.
• Replace every reference to the source domain with
  target domain
• Use ADDUSERS.EXE to create local groups on each
  system in your source domain
• Addusers.exe \\targetdc /c filename

12
Update Permissions

• Goal- update permissions for files, shares and
  directories in source domain to reflect accounts
  in the target domain
• Use SHOWACCS.EXE on every computer in the source
  domain to create access-profiles and account
  mapping files
• Showaccs.exe accessprofilefile /f /r /s /p /g /m
  accountmappingfile
• Each account with permissions to resources on
  local computer is written to mappings file
• Load accountmappingfile into the Security
  Migration Editor MMC snap-in. Select users and
  groups from your target domain that matches users
  and groups in your source domain. Update ACL
  information and save mappings file.
• Use the new accountmappingfile with SIDWALK.EXE
  to write mapping file changes to the local
  computer.
• Sidwalk.exe accountmappingfile /f /s /l
• Note Sidwalk.exe accountmappingfile /t /f /s /l
  will perform a test run.

13
Update User Rights

• Goal- update user rights on source domain
  machines to reflect accounts in target domain
• Use NTRIGHTS.EXE to modify rights on source
  domain machines for accounts in the target domain
  by creating a script file of rights, machine
  names and accounts
• NTRIGHTS U TARGETDOM\USER M \\MACHINENAME R
  seAuditPrivilege
• Note You can have one central file that changes
  rights across the source domain

14
Migrate Computer Accounts

• Goal create accounts in the target domain for
  all systems in the source domain
• Use NETDOM.EXE to migrate create the accounts
• Pipe the output from NETDOM to a text file
• netdom /domaindomainname member gt filename.txt
• Edit the text file and replace the text and
  preceding the computer name with net computer,
  then append /add to the end of each line
• Member 1 \\kingkong gt net computer
  \\kingkong /add
• Save file as .bat or .cmd and run in your target
  domain

15
Move Domain Controllers

• Note- Leave PDC up in source domain until all
  other computers are moved!
• To move domain controllers
• Make sure you have a good backup and record
  permissions on system in case you need to back
  out.
• Create domain local groups in target domain that
  match local groups in source domain
• Re-install NT. Make sure to replace OS and not do
  an Update.
• Boot and examine permissions and user rights.
  Should be that of the target domain.
• Dont forget to re-install sps and hotfixes!

16
Moving Member Servers

• To move member servers
• Make sure you have a good backup and record
  permissions on system in case you need to back
  out.
• Join domain
• Netdom.exe /domaintargetdomain member
  computername /joindomain
• Verify applications and services are still
  working.

17
Move Workstations

• To Move workstations
• Make sure youve followed steps for accounts,
  local and global groups,permissions and rights.
• Join the domain
• If you have a few workstations then follow step 2
  above
• If you have a large number of workstations
• Copy NETDOM.EXE and SHUTDOWN.EXE to the NETLOGON
  share on source domain PDC
• Edit domain login script with
• .\netdom /domaintargetdomain member
  computername / joindomain
• .\shutdown /l /r /t30 You have joined the
  targetdomain domain. /y /c
• The next logon that runs this script will be to
  your target domain
• Dont forget about win95/98 systems!

18
Wrap up

• Test all commands before rolling out
• Time consuming job either way..
• Simplify less domains easier to upgrade.
• Break apart multi-purpose PDCs
• Questions?