Lesson 8: Performing an Intra-Forest Restructure

If the source and target domains in a restructure are in the same Active Directory forest, you can move objects from one domain into another. In this lesson, you'll configure the source and target domains for an intra-forest restructure. You'll use MoveTree and ADMT to illustrate an intra-forest restructure.

After this lesson, you will be able to

• Configure a source and target domain for an intra-forest restructure.
• Apply the restructure tools to clone users and groups from one computer to another.

Estimated lesson time: 70 minutes

An Intra-Forest Restructure

In an intra-forest restructure, you move objects from one domain in a forest into another. The source domain must be a member of the same forest of the destination. In this scenario, you're going to implement this by changing PC2 from being the MIGRATE domain controller to being the domain controller of another domain, MIGKIT. Then you'll upgrade the MIGKIT domain controller to Windows 2000 and make it a child domain of trainkit.microsoft.com. You'll then use MoveTree and ADMT to move users and groups from migkit.trainkit.microsoft.com to trainkit.microsoft.com because the source and target domains will then be in the same forest.

Practice: Intra-Forest Migration

In this practice, you'll reconfigure MIGRATE to become MIGKIT, you'll upgrade MIGKIT to be a Windows 2000 domain controller, and then you'll use MoveTree and ADMT to perform an intra-forest migration. The first phase of the restructure is to upgrade the PDC of the Windows NT system and make it a member of the destination forest. You must do this if you want to perform an intra-forest restructure because the source and destination domains need to be in the same forest.

Exercise 1: Upgrading a PDC and Joining a Forest—The Return of MIGKIT

In this exercise, you'll reconfigure MIGRATE to be MIGKIT and then upgrade the domain MIGKIT to Windows 2000; however, this time it will be part of the trainkit.microsoft.com forest.

1. Log on to MIGRATE as Administrator with the password secret.
2. From the desktop, right-click Network Neighborhood and select Properties.
3. Click the Protocols tab and double-click TCP/IP Protocol to open the Microsoft TCP/IP Properties dialog box.
4. Change the TCP/IP address to 192.168.0.100 and click the DNS tab.
5. Ensure that the DNS entry is correct for TRAINKIT and change the host name to MIGKIT1. Delete the domain name (migrate.microsoft.co.uk), if present. Click OK.

   A warning message appears.

6. Click OK to close it, and then click the Identification tab.
7. Click the Change button, and in the Identification Changes dialog box, change Computer Name to MIGKIT1 and change Domain Name to MIGKIT. Click OK.
8. Click OK in response to the successful name change.
9. Click Yes in response to the warning message about the problems associated with a domain name change.
10. Click OK in the Welcome To The MIGKIT Domain dialog box.
11. Finally, click Close and then click Yes to restart your domain controller.
12. Log on to the MIGKIT domain as Administrator with the password secret.

Exercise 2: Upgrading the Domain in Preparation for an Intra-Forest Move

Now you're going to upgrade MIGKIT1 just like you did in Chapter 6, Lesson 2. Start with step 1 of Exercise 2. When you finish step 9 of Exercise 2, return here and complete the following numbered steps.

10. Select Create A New Child Domain In An Existing Domain Tree, as shown in Figure 9.15, and then click Next.

    

    Figure 9.15 Create Tree Or Child Domain page

11. Type a username of Administrator, a password of secret, and a domain name of TRAINKIT, as shown in Figure 9.16, and then click Next.

    

    Figure 9.16 Network Credentials page

12. On the Child Domain Installation page, type the Parent Domain as trainkit.microsoft.com and the Child Domain as migkit, as shown in Figure 9.17. Then click Next.

    

    Figure 9.17 Child Domain Installation page

13. Accept the default locations for the database and log directories, and click Next.
14. Accept the default location for the shared system volume, and click Next again.
15. On the Permissions page accept the default, Permissions Compatible With Pre-Windows 2000 Servers, and click Next.
16. For the Directory Services Restore Mode Administrator password, type and confirm secret, and click Next.

    The summary page should now be displayed as shown in Figure 9.18.

    

    Figure 9.18 Active Directory Installation Wizard summary page

17. If the information is correct, click Next to install the Active Directory.
18. Once the upgrade has completed, click Finish to close the Active Directory installation wizard.
19. Restart the machine and log on as Administrator to the MIGKIT domain.
20. The first time you reboot a domain controller after an upgrade, you'll see an error that states that at least one service has failed to start. The error refers to the Netlogon service. Close this message box and allow the restart to complete. The message shouldn't appear after the next restart.
21. Open My Computer or Windows Explorer and then open the Tools folder on Drive C:.
22. Double-click the Makeou.vbs Visual Basic script file.

    This will create an OU structure containing users for the intra-forest migration (just in case some of the accounts might have been altered during your earlier exploration of the network).

23. After the script runs, open Active Directory Users And Computers and expand the OU hierarchy of Chaico.

    You should see a structure similar to the one shown in Figure 9.19.

    

    Figure 9.19 Chaico OU structure

    Now you can perform intra-forest migrations, in which objects are moved between the two domains of the single Active Directory forest.

Exercise 3: Using MoveTree for an Intra-Forest Move

In this exercise, you'll use the MoveTree command to migrate the Finance OU in MIGKIT to the TRAINKIT domain. Ensure that the Europe OU has been created on TRAINKIT1, or this exercise won't work.

1. On TRAINKIT1, open Run from the Start menu. In the Open box, type notepad c:\tools\movefin.bat and click OK.
2. Click Yes to create a new file.
3. You will first test the MoveTree command to see whether it will work. Type the following as one long line:

    movetree /check /s migkit1.migkit.trainkit.microsoft.com            /d trainkit1.trainkit.microsoft.com /sdn ou=finance,           ou=chaico,DC=migkit,dc=trainkit,dc=microsoft,dc=com            /ddn ou=finance,ou=europe,dc=trainkit,dc=microsoft,dc=com 

4. Save the file and minimize Notepad.
5. Open a command prompt, change to the Tools folder, and type movefin.bat.

   Your batch file will run and you should see that the precheck is successful and that MoveTree is ready to perform the actual migration.

6. Now switch back to Notepad and change the /check command to /start.
7. Save the file again and switch back to the command prompt.
8. Type movefin.bat again to run the batch file.
9. Open Active Directory Users And Computers and double-click the Europe OU.

   You should see a new OU called Finance containing the Fin1 and Fin2 users.

10. On MIGKIT1, open Active Directory Users And Computers and confirm that the Finance OU has now been deleted.

NOTE

---

If you have problems with this exercise, try using the batch file called ILikeToMoveIt.bat. Note that this is a once-only batch file and must be run from the Tools folder on TRAINKIT1.

Exercise 4: Using ADMT for an Intra-Forest Move

Now you'll round off the intra-forest migration practice by using ADMT to move a user called Intra1 from the migkit.trainkit.microsoft.com domain.

1. On TRAINKIT1, open Active Directory Migration Tool from the Administrative Tools folder.
2. From the Action menu, select Group Migration Wizard.
3. Click Next when the wizard opens.
4. Select Test The Migration Settings And Migrate Later, and click Next.

   The Domain Selection page appears.

5. Ensure that the source domain is MIGKIT (not MIGRATE), and leave the destination domain as trainkit.microsoft.com. Click Next.
6. On the Group Selection page, click Add and select the Intra Users group.
7. Click Add, click OK to return to the Group Selection page, and then click Next.
8. On the Organizational Unit Selection page of the wizard, click Browse and select the Europe OU.
9. Click OK and then click Next.
10. On the Group Options page, ensure that Copy Group Members is selected with the other options shown in Figure 9.20, and then click Next.

    

    Figure 9.20 Group Options page

11. Click OK when the warning message appears.
12. On the User Account page, type Administrator as the user name and secret as the password, and then click Next.
13. On the Naming Conflicts page, accept the default settings and click Next.
14. Click the Finish button.
15. Once the status at the top of the Migration Progress dialog box shows Completed, click the View Log button and review the log file.
16. Click Close and now repeat steps 2 through 15, but this time, in step 4, select Migrate Now.
17. Open Active Directory Users And Computers to view the Europe OU and verify that Intra1 and Intra2 users and the Intra Users group have been moved there.

NOTE

---

If you have any problems with MoveTree and ADMT in the intra-forest exercises, go back to Lesson 4 and check that the source domain has been set up correctly. Remember that auditing must be turned on for user account management, and this can be done via the Domain Controller Security Policy administrative tool. Check that the DNS settings for MIGKIT1 are correct on the DNS server on TRAINKIT1 and that you have an empty group called migrate$$$ on both MIGKIT1 and TRAINKIT1. You can also try reinstalling the TcpipClientSupport registry entry in exactly the same way as outlined in the practice in Lesson 4 of this chapter.