Our company is planning on moving from a single forest with multiple domains to a single forest with a single domain.
This is my infrastructure:
Forest Root
ROOT-DC.techtunes.lan
ROOT-ADC.techtunes.lan
ROOT-ADC2.techtunes.lan
SITES:
Cambridge
dc1cam.cambrdige.techtunes.lan
adc1cam.cambrdige.techtunes.lan
Oxford
dc1oxf.oxford.techtunes.lan
adc1oxf.oxford.techtunes.lan
Karachi
dc1khi.karachi.techtunes.lan
adc1khi.karachi.techtunes.lan
Now, we are planning to move our child domains on root-dc.techtunes.lan then we will create separate OU for each site and also place Global Catalogs on each site for backup purposes.
I have read that the Active Directory Migration Tool v3.2 is an important tool to migrate our users, but I have some questions about it.
What happens with users whose names are duplicated in each domain? For example: one user named abc
is in Cambridge and also in Karachi. What happens when we move both acb
accounts to a single domain?
What about other services like DHCP and DNS? We want to run DHCP locally at each site.
I'd appreciate answers on how to proceed.
You'll definitely want to use the ADMT for this process. The version you use will be dependent on what systems you need to migrate. For example, if you need to migrate Windows 7/ or server 2008 R2 machines, you will need to run ADMT v3.2 which can only be run on a Server 2008 R2 install. If you have no Server 2008 / 2008 R2 / Windows vista / Windows 7 machines, you can use ADMT v3.0 which can be installed on Server 2003.
As Mark pointed out you can't use ADMT to migrate a DC. You'll want to start out your migrations by DCpromo'ing out one DC at the site you are migrating. When that is completed and fully replicate throughout your topology (replmon.exe is good for checking this), you can then use ADMT to migrate the server. Once it has completed migrating, you can then DCpromo it into the Root Domain.
DNS should be installed on the DCs, if not already, and AD will replicate your AD-I zones (root domain zone) to the DCs added to your root domain. You will need to re-authorize you DHCP servers once they are migrated over to the root domain (needs an account with Enterprise admin privileges).
I have found the following migration order to work well for me:
With proper planning the impact on users should be extremely minimal. I have done migrations of full sites of 100+ PCs, and servers in a maintenance window of around 6-8 hours.
There are other things that you will need to consider like using the Password Export Service to migrate passwords.
This is a Big Thing To Do™. You should first consider hiring a consultant to at least help you plan and coordinate this, if you don't have the expertise in-house. If this isn't an option, then you're on the right track by looking at ADMT.
You can't run ADMT to migrate a Domain Controller. If you only have one DC at each site, you'll need to put a new one down there that's joined to the target domain and migrate that way. You should not decommission all of the DCs at a site until everything from that site has been successfully migrated.
What you will need to do is run ADMT against each PC, server, and user account that exist in domains that you migrate. It can be automated and run remotely and it is well documented. It can take up to 10 minutes per PC to run, so don't plan on doing this during a lunch break for a whole office. You're going to need at least a weekend, in all likelihood. User accounts and groups migrate a whole lot faster.
If there are duplicated user names, then ADMT can do a few things. It can ignore them and not migrate duplicates. It can overwrite duplicates in the target domain. And it can merge the two objects. The last option is important, because it also transfers group membership. Using merge will give the duplicate accounts all memberships. If your duplicates are for users that are not the same actual person and you don't wish to merge them, you can also rename duplicated with ADMT, though I would probably consider renaming them prior to the migration if there are only a handful.
As for DHCP and DNS. I'm not sure what you're asking. You can continue to run those services at each site like you do now.