[gptalk] Re: AD Consolidation

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 8 Jan 2008 14:56:32 -0800

And actually, Omar you triggered something for me. I think it's a good idea,
when removing computers from one domain and moving them to another, to first
remove the GP settings that currently apply to them before joining the new
domain. There's probably several ways to do that but maybe the the easiest
is to create an OU in the domain you are retiring and block inheritance on
it for all GP settings. Then move computer accounts in there and let them
process policy to remove any unwanted settings. Then, move the computer




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Tuesday, January 08, 2008 2:49 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: AD Consolidation




Since you posted on the GP list:


One big thing to keep in mind that when transitioning computer and user
accounts between domains the end users and workstations will now have the
new domain's group policies applied to them.


Make sure before you migrate the user and computer accounts that you create
and link the GPOs that you want applied to those objects on the OU's that
will be used for the destination domain objects.


If you are using ADMT 3.0- you will need to make sure that on the source
domain and destination domain OUs that you set the correct Windows Firewall
settings using GPOs or if you are using a 3rd party FW on the workstations
or servers that are migrating- that the ADMT computer migration and security
translation tool can communicate with the machines before and after
migration otherwise all your results will be "FAILED"


I have done domain consolidations within a single or between separate
forests many times and there are many gotchas- and GPO application and
delegation of administration(which it appears you are after) are usually the
1st thing that breaks-


Do let this happen to you- take the time to lab the whole thing up.


If you need to hire an outside consulting firm-I know a real good-one :)-


If you have any more questions- feel free to contact me offline using my
email address.





From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Tue 1/8/2008 1:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: AD Consolidation


Since this is probably more of an AD issue than a Group Policy issue (which
this list is focused on) I might suggest you post this on the activedir.org
mailing list as well, as you are likely to get some responses from folks who
have done a lot of this kind of migration. However, I think the bottom-line
is the answer will be driven by the OU administrators' business needs. If
they need to be able to create users and computers, create and link GPOs,
create groups, etc. then you will likely have to make those OUs wide-open
for them. But again, it depends upon what responsibilities they have,
keeping in mind that access to domain controllers directly will be pretty
limited for them.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Daniel Gomes
Sent: Tuesday, January 08, 2008 1:38 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] AD Consolidation


Hello all,


We are at the beginning stages of doing an AD Consolidation. We are looking
at consolidating two domains into one having one of the domains become an OU
in the other. My question is if anyone has done this before what would you
recommend as the best way about assigning rights to the OU of the domain to
allow its old administrators to still manage the OU and its Sub OUs?



Other related posts: