can i security translate a domain controller with file services role using admt?

Castillo, Dan Paolo 21 Reputation points
2020-10-22T06:14:50.847+00:00

Hi All,

I would like to ask for your expertise if below scenario is possible.

We have domain1.com and we are planning to migrate all users, computers and servers to domain2.com
We only have 1 DC in domain1.com and has file service role.

My question is, what is the best course of action to migrate this DC with file service role on the new domain? Can i security translate it and computer migrate using ADMT? or Security Translate and manual disjoin and join?

Thank you in advance.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,667 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,221 Reputation points
    2020-10-28T08:41:05.483+00:00

    Hi Pao,

    You are welcome. Thank you so much for your feedback.

    Do we also need to migrate the domain controller to the new domain? The following illustration shows the process for restructuring Active Directory domains between forests and the process for migrating resource objects between Active Directory domains in different forests.

    35519-1.png

    To migrate domain controllers between domains, remove Active Directory Domain Services (AD DS) from the domain controller, migrate it as a member server to the target domain, and then reinstall AD DS. (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc974428(v=ws.10))

    After you migrate all the accounts and resources from the source domain to the target domain, perform the following tasks to complete the restructuring process:

    · Transfer the administration of user accounts and group accounts from the source domain to the target domain.
    · Ensure that at least two domain controllers continue to operate in the source domain until the resource migration process is complete.
    · Back up the two domain controllers in the source domain.

    After you complete these steps, you can translate security on the member servers in the target domain and decommission the source domain. The following illustration shows the process for completing the migration of Active Directory domains between forests.

    35673-2.gif

    Translate security on servers to add the security identifiers (SIDs) of the user accounts and group accounts in the target domain to the access control lists (ACLs) of the resources. After objects are migrated to the target domain, the objects contain the ACL entries from both the source and the target domains. Use the Security Translation Wizard in the Active Directory Migration Tool (ADMT) to add the target domain SIDs from the migrated objects.

    For more information, we could refer to:

    Translating Security in Add Mode
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974439(v=ws.10)?redirectedfrom=MSDN

    As for our case, it is a little special. Please make sure to back up the domain controller in the old domain. We did not do the test, so it is hard to tell the best steps. We could check whether the below case could he of some help to you.

    https://social.technet.microsoft.com/Forums/en-US/4d7d6183-14cf-46b9-8dac-096de10aa6fa/admt-security-translation?forum=winserverDS

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Hannah Xiong 6,221 Reputation points
    2020-10-23T08:25:03.45+00:00

    Hello,

    Thank you so much for posting here.

    Firstly we should configure forest trust between the two domains.
    Then we could migrate users, groups and computers ,ect with ADMT.
    And then we could migrate file server & file shared.

    1) We could use Robocopy to migrate the file server include NTFS permission. After the migration, we will need to configure share permission manually.

    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

    https://www.petenetlive.com/KB/Article/0000427

    2) Or we could perform Security Translation on the file server. It will automatically update the permission based on the migrated objects.

    Similar case: https://social.technet.microsoft.com/Forums/lync/en-US/e4a5e311-b699-4f5e-b42e-a29db629f10b/admt-32-how-to-migrate-file-server?forum=winserverDS

    Here we would like to share more information about Active Directory Migration Tool:

    Best Practices for Using the Active Directory Migration Tool
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc974358(v=ws.10)

    Thank you so much for your time and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.