Active Directory Migration Questions

IRJ

@wirestyle22 said in Active Directory Migration Questions:

1. If you migrate an account from a subdomain to the root domain does the account remain on the old domain? Migrate means to move, so it's not a copy. I think it most likely does not remain on the original domain but I wanted to ask anyway.

2. If you have a file server on a subdomain and migrate a user from the subdomain to the root domain but then move the file server over to the root domain as well, how are the directory permissions resolved within the file server? There is a point there where none of the AD user accounts (assuming you move them all) can't resolve.

I'm sure I will think up more I'm foggy today

1.) No. See ADMT

https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

2.) You shouldn't be assigning permissions by users. Only groups

wirestyle22

@irj said in Active Directory Migration Questions:

2.) You shouldn't be assigning permissions by users. Only groups

Yeah of course but I didn't set it up. This is going to be a huge project to correct

travisdh1

@wirestyle22 said in Active Directory Migration Questions:

@irj said in Active Directory Migration Questions:

2.) You shouldn't be assigning permissions by users. Only groups

Yeah of course but I didn't set it up. This is going to be a huge project to correct

One of your predecessors really know how to create lots of make-work for themselves!

wirestyle22

@travisdh1 said in Active Directory Migration Questions:

@wirestyle22 said in Active Directory Migration Questions:

@irj said in Active Directory Migration Questions:

2.) You shouldn't be assigning permissions by users. Only groups

Yeah of course but I didn't set it up. This is going to be a huge project to correct

One of your predecessors really know how to create lots of make-work for themselves!

It's especially hard because I've never had to deal with subdomains before. I'm learning how all of this stuff resolves. I can't just migrate either because the domain I want to use has a ton of accounts that are identical, although different accounts--being used for e-mail specifically. I have no idea why anyone would ever want to do it that way, but here we are.

travisdh1

@wirestyle22 You're AD environment reminds me of this:
http://farm3.static.flickr.com/2277/2180039413_f54b142ff4_o.jpg

wirestyle22

@travisdh1 I have friends who are working for companies with 65,000 employees and still have a single domain. Why do I have 5 domains?

travisdh1

@wirestyle22 said in Active Directory Migration Questions:

@travisdh1 I have friends who are working for companies with 65,000 employees and still have a single domain. Why do I have 5 domains?

Because someone was incompetent or stealing from the company by making make-work for themselves, fixing it is the PITA.

wirestyle22

@travisdh1 said in Active Directory Migration Questions:

@wirestyle22 said in Active Directory Migration Questions:

@travisdh1 I have friends who are working for companies with 65,000 employees and still have a single domain. Why do I have 5 domains?

Because someone was incompetent or stealing from the company by making make-work for themselves, fixing it is the PITA.

Any recommendations for file permissions auditing software?

dbeato

@wirestyle22 said in Active Directory Migration Questions:

1. If you migrate an account from a subdomain to the root domain does the account remain on the old domain? Migrate means to move, so it's not a copy. I think it most likely does not remain on the original domain but I wanted to ask anyway.

2. If you have a file server on a subdomain and migrate a user from the subdomain to the root domain but then move the file server over to the root domain as well, how are the directory permissions resolved within the file server? There is a point there where none of the AD user accounts (assuming you move them all) can't resolve.

I'm sure I will think up more I'm foggy today

1- You would not have duplicate users when move them.

2- The file server will need to have the permissions recreated since the permissions need to be changed. As other posts it should be via group.

dbeato

@wirestyle22 I have used Netwrix besides the default Microsoft Auditing Event Logs.

wirestyle22

Well, it needs to be fixed anyway A lot of work ahead of me

dbeato

@wirestyle22 maybe a powershell script . Let me check.

travisdh1

@wirestyle22 said in Active Directory Migration Questions:

@travisdh1 said in Active Directory Migration Questions:

@wirestyle22 said in Active Directory Migration Questions:

@travisdh1 I have friends who are working for companies with 65,000 employees and still have a single domain. Why do I have 5 domains?

Because someone was incompetent or stealing from the company by making make-work for themselves, fixing it is the PITA.

Any recommendations for file permissions auditing software?

Besides a custom power shell script, nope. I haven't touched Windows Server in quite a while, should probably install a trial license somewhere to correct that.

Dashrender

The last time I used the migration tool, the tool had a way to include the old SID inside the new account so all old permissions still worked.

As far as I know, though never tested, when you move the file sever to the main domain, nothing changes by default on the files themselves. The old permissions should remain intact.

Do you have a lot of files with their own permissions settings, not just the folders?

wirestyle22

@dashrender From what I've seen, yeah.