Share via

Moving AD Users and Computers to new Domain; Best Practices?

Reiner Müller 20 Reputation points
2024-09-10T14:07:06.6566667+00:00

Hello everyone,

For various reasons I am going to have to migrate a customer's AD Users and Computers to a new domain. Since it seems like a rather involved process that I've never done before, I wanted to gather some more info before actually getting on with it.

The Problem:

One of the two Domain Controllers (first on Server 2016, second on Server 2019) exceeded the tombstone timeout due to having been turned off as it had been deemed unnecessary. After I took over the project, the customer and I agreed that we should work towards better resiliency and a layer of redundancy.

After booting up the second DC, it was apparent that it was a lost cause, no chance to get it to ever talk to the first DC again. We have tried a LOT of things that were unsuccessful. So we've ended up removing the second DC manually, doing a metadata cleanup, etc., after which the first DC still complained about the replication.

We've tried adding a new second DC (Server 2019 as we had a license on hand to try it), but the replication problems still persist. We've tried properly removing and re-adding the second DC, nothing worked.

Since the first DC is on Server 2016, we also cannot open a ticket with Microsoft. And I am too worried to try and upgrade this DC to get to a non-EOL version.

The Idea:

The only choice I see is to create an entirely new domain with new DCs.

The concrete gameplan is:

  1. Make two new DCs
  2. Create a new Domain
  3. Somehow (???) allow the two domains to work together
  4. Slowly migrate users and computers until everything is moved
  5. Archive the old DC and Domain

Point 3 is the one that's giving me trouble.

How do I configure the Domains so that users in the new domain can be authenticated in the old domain as well? There are quite a few resources that are locked behind AD authentication and I downt want to lock out either side. This would also allow me to migrate Users and Computers gradually.

Point 4 also raises some questions for me.

What is the best way to move existing Users and Computers from one domain to another?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,671 questions
0 comments
Accepted answer
  1. Daisy Zhou 25,446 Reputation points Microsoft Vendor
    2024-09-11T07:59:46.0966667+00:00

    Hello

    Thank you for posting in Q&A forum.

    Based on my experience, for Point 3, you could establish a trust relationship between old and new domains. And for best practices, here is some keys for your reference:

    1. Planning and Preparation:

    • Evaluate the Current Environment: Gain an understanding of the existing domain structure, including user and computer accounts, along with any dependencies.

    • Develop a Migration Strategy: Draft a detailed plan outlining the necessary steps, timeline, and resources for the migration, ensuring to include a contingency plan.

    • Secure Data with Backups: Confirm that all essential data is securely backed up prior to initiating the migration.

    1. Establishing the New Domain:

    • Initiate the New Domain: Proceed with setting up the new domain and configuring its domain controllers.

    • Form Trust Relationships: Establish trust relationships between the old and new domains as needed to support the migration process.

    1. Migrating Users and Computers:

    • Leverage Migration Tools: Employ tools like the Active Directory Migration Tool (ADMT) or alternative third-party solutions for migrating user accounts, computer accounts, and groups, ensuring compatibility with your setup.

    • Transfer User Profiles: Utilize tools such as the User State Migration Tool (USMT) for transferring user profiles, settings, and data to the new domain 1.

    • Revise Group Policies: Make sure that Group Policies are revised and properly implemented in the new domain.

    1. Testing and Validation:

    • Conduct Migration Testing: Execute a trial migration with a select group of users and computers to uncover any potential issues.

    • Confirm Migration Success: Check that all user and computer accounts, along with data, have been successfully migrated. Confirm that users are able to log in and access required resources.

    1. Post-Migration Activities:

    • Retire the Old Domain: Following a successful migration and validation, proceed to decommission the old domain controllers and address any residual elements.

    • Observation and Assistance: Keep an eye on the new domain for any arising issues and offer support to users adjusting to the new environment.

    Download Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains from Official Microsoft Download Center

    https://www.microsoft.com/en-gb/download/details.aspx?id=19188&msockid=2fa823e9418f618827b330a240b760df

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.