2026-01-11
inter-domain object move
Until yesterday, I was convinced, that inter-domain (in the same forest) is strictly impossible. I did huge migrations, hudreds thousands of objects and I thought that inter-domain migration is impossible. Yesterday I found document or notice regarding movetree.exe but:
In our huge migrations every time we created a new bunch of objects - in the same forest or in different forest, every time we used sidHistory, the old objects remains intact - just to have flexibility in operations. Every user profile with exchange mailbox/outlook profile was also migrated before the final switch, so... if userA in domain1 (domain1\userA) was prepared for switch, so his user profile with outloook profile was prepared for this operation and in M-Day (migration-day) he could just login on userA account in domain2 (domain2\userA) so he could still work with the same environment.
MoveTree scenario is possible only in a small environments, in small migrations.
- new object in destination domain retains the same object guid, but of course - sid is different - most of migrations requires the same sid and the same guid or to properly process new object and treat as the new as the old one (to mimic)
- new object has the old sid in sidHistory - ok
- the old object is deleted and can't be simply refurbished
In our huge migrations every time we created a new bunch of objects - in the same forest or in different forest, every time we used sidHistory, the old objects remains intact - just to have flexibility in operations. Every user profile with exchange mailbox/outlook profile was also migrated before the final switch, so... if userA in domain1 (domain1\userA) was prepared for switch, so his user profile with outloook profile was prepared for this operation and in M-Day (migration-day) he could just login on userA account in domain2 (domain2\userA) so he could still work with the same environment.
MoveTree scenario is possible only in a small environments, in small migrations.
what's wrong - domain controller or different source?
| what's wrong | possible source | solution |
|---|---|---|
| time unsynchronized | pdc role domain controller |
verify if pdc is synchronized with external time source verify if dc are synchronized with pdc |
| users can't login | time synchronization (Kerbers) 802.1x issue |
check domain controllers if they are synchronized are certificates ok for 802.1x? crl are available? |
| users change password issues | pdc role availability | maybe something wrong is with pdc role dc? |
| can't join a new computer to domain |
limit per user account of new computers availability of RID master |
increase limit check if RID master is available - dc don't have rid pool to assing |
| can't create new objects - uses, groups, computers | availability of RID master | check if RID master is available |
| universal group membership failure |
infrastructure master global catalog availability |
infrastructure master is not updating links between domains because is on global catalog check if global catalog is available |
Subskrybuj:
Komentarze (Atom)