Okay, so let's say you've got company abc.com and you're acquiring another business entity. The entity in question is a part of a larger company that's divesting themselves of it, and we'll call that larger company xyz.com. On the surface, the obvious issue to me is that security principals in domain xyz.com will have different SIDs than their new accounts in abc.com, so client computer profiles and file server ACLs would be totally messed or would have to be manually created from scratch. I can't help but think that there's some tool to ease this transition. On the file server side, it would have to traverse every directory entry and change the SIDs to match their new domain SIDs, and on the client computers it would consist of joining the client computers to the new domain and similarly changing the user profile, service, etc SIDs to match the corresponding accounts in the new domain. Is there a tool to do this, or is it totally manual? This probably sounds like an ignorant question, but this is the first time I've been involved in something like this at this level. TIA

To clarify something about that, company xyz.com will not be allowing the transfered business entity to use their domain or any resources - basically the acquired business is "cut off", so there's no forest trust or other types of issues involved here.

Hello Todd, You can use ADMT to help in the migraiton effort. The purpose of the tool is to basically migrate users between domain. The OLD SID is mapped to a new one when the new account is created on the target domain. This would allow the user access to the resources in the source domain via SIDHistory. The tool also aides in the migraiton of profiles as well so user's desktops are intact when the computers are joined to the new domain. Start reading and learning about ADMT here: ADMT Guide: Migrating and Restructuring Active Directory Domains http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx Visit: anITKB.com, an IT Knowledge Base.

You can use ADMT for the user, groups and computer migration. But you need to establish a trust between 2 domains. Here are some info: http://www.sivarajan.com/admt.html Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks, I'll have to take a look at that. Seems to me that I vaguely remember using ADMT a long time ago for something, but I don't remember what. In this situation, a trust between the two domains isn't going to be an option as the former owner of the entity being purchased is a large multinational and there's no way they're going to allow that kind of thing.

Without a trust, ADMT is not an option. Its going to be rough.Visit: anITKB.com, an IT Knowledge Base.

If you are using a third party migration tools like Quest, you can perform the migration without a trust. Again, trust is not a requirement for Quest but if you need to access resources in the source domain after the migration, you need a trust. For ADMT, you need to establish a trust. Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

I won't be needing to access anything in their domain after the migration because there won't be any business relationship. As I recall from a long, long time ago when I did something similar, the thing I need done is to extract their users' SIDs and add them to their accounts in our domain. That makes their user profiles on their machines and any ACLs on file server work as they did before. And of course all their computers will be disjoined from the other company's domain and joined to ours.

Everything I'm seeing with ADMT and Quest's Migration Manager look like I really need to have a full network/DNS interaction between my domain controllers and theirs for things to get done. My problem is that we're only acquiring a PORTION of their company, so they're not going to be too terribly gungho about tying our two networks together, and frankly neither am I. So here's what I was thinking would be cool - A tool that they could run to select the necessary users/groups/etc in their AD, which would create an LDF file containing the SIDS of those objects in the sIDHistory attribute. Then I could run that LDF file asynchronously on my domain to create those objects. I don't really have a problem with manually rejoining all of their computers to our domain. Does anyone know of a tool (or even a script, I suppose) that would do this?

You need to have name resolution from source and target domain to perform a migration. If you manually re-join the workstation, you will lose all user profile information. Are you Ok with that? What about SID history and permission in the source domain? http://blogs.sivarajan.com/ http://publications.sivarajan.com/ Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX This posting is provided "AS IS" with no warranties, and confers no rights.

Well, I think we're going to be stuck with using USMT or just using an administrator account to manually move their documents and stuff from one profile to the other, because I don't see any way come ____ or high water that the source company is going to let us access their corporate resources like that. Of course this is all just conjecture until I visit with them next week. So you said Quest's Migration Manager can bring it over without establishing a trust? I was looking at the literature and it looked like it was more tailored for ongoing domain synchronization.

You can use Quest Migration Manager (QMM) for AD without a domain trust. But you need to have name resolution between source and target domains. My Blog: Articles: Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX This posting is provided AS IS with no warranties, and confers no rights.

Well that sounds like if I want to do ANYTHING other than a totally manual shot at this, I'm going to have to have some kind of DNS resolution between the two so I guess I'll just have to figure out how to arrange that.

Any update? Please let us know if you need more info. Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX Blogs - http://blogs.sivarajan.com/ Articles - http://www.sivarajan.com/publications.html Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara This posting is provided AS IS with no warranties, and confers no rights.