[gptalk] Re: AD Consolidation

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 8 Jan 2008 14:48:52 -0800

Since you posted on the GP list:
One big thing to keep in mind that when transitioning computer and user 
accounts between domains the end users and workstations will now have the new 
domain's group policies applied to them.
Make sure before you migrate the user and computer accounts that you create and 
link the GPOs that you want applied to those objects on the OU's that will be 
used for the destination domain objects.
If you are using ADMT 3.0- you will need to make sure that on the source domain 
and destination domain OUs that you set the correct Windows Firewall settings 
using GPOs or if you are using a 3rd party FW on the workstations or servers 
that are migrating- that the ADMT computer migration and security translation 
tool can communicate with the machines before and after migration otherwise all 
your results will be "FAILED"
I have done domain consolidations within a single or between separate forests 
many times and there are many gotchas- and GPO application and delegation of 
administration(which it appears you are after) are usually the 1st thing that 
Do let this happen to you- take the time to lab the whole thing up.
If you need to hire an outside consulting firm-I know a real good-one :)-
If you have any more questions- feel free to contact me offline using my email 


From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Tue 1/8/2008 1:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: AD Consolidation


Since this is probably more of an AD issue than a Group Policy issue (which 
this list is focused on) I might suggest you post this on the activedir.org 
mailing list as well, as you are likely to get some responses from folks who 
have done a lot of this kind of migration. However, I think the bottom-line is 
the answer will be driven by the OU administrators' business needs. If they 
need to be able to create users and computers, create and link GPOs, create 
groups, etc. then you will likely have to make those OUs wide-open for them. 
But again, it depends upon what responsibilities they have, keeping in mind 
that access to domain controllers directly will be pretty limited for them.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Daniel Gomes
Sent: Tuesday, January 08, 2008 1:38 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] AD Consolidation


Hello all,


We are at the beginning stages of doing an AD Consolidation. We are looking at 
consolidating two domains into one having one of the domains become an OU in 
the other. My question is if anyone has done this before what would you 
recommend as the best way about assigning rights to the OU of the domain to 
allow its old administrators to still manage the OU and its Sub OUs?



Other related posts: