Starting a new Active Directory - User Data Migration

[Daedroth]

Hello,

I work in a school in the UK, and our AD is a complete mess. We are having a completely new server, network and client infrastructure upgrade over the summer and will be starting a new Active Directory/Domain (completely separate) as it is currently fundamentally flawed. As this isn't starting for a while, I am doing some research before hand and I have some questions regarding existing data.

 

Here's an example of our AD user structure:

Domain1\Staff\Test1

 

I have been able to use Robocopy to migrate data from the user accounts Test1 to Test2 (Using this command: "Robocopy /e /copy:DAT \\Domain1\Staff\Test1 \\Domain1\Staff\Test2"). This is great as it moves the data from Test1's user area to Test2's user area and the security permissions are amended correctly (so that the files security permissions copied from Test1 are changed to Test2, whilst keeping other security group permissions)

 

However with a new Active Directory, domain and security permissions, I'm not sure how it would work.

Domain1\Staff\Test1's data will be moved to Domain2\Staff\Test1's user area.

 

Will this sort the security permissions so that the user on the new domain has the permissions?

 

I hope this makes sense!

 

 

[sc302 Veteran]

yes but you will have to test properly.  it isn't a simple point, click, done type of thing.

[Iphel]

Hello,

 

Shouldn't have you used ADMT instead of robocopy ?

https://technet.microsoft.com/en-gb/library/cc974332(v=ws.10).aspx

I did not read the all article but i think you'd better use a migration tool to move your users from old AD to new AD.

[binaryzero]

^ Yes you can use that tool to migrate AD objects from one forest to another. 

 

I think he's referring to home drives\user profiles. Do you use roaming profiles?

 

Either way, if you're going to do AD again, document everything, think everything through, and hopefully it won't be a mess like your current forest.

Good luck.

[Daedroth]

  On 20/05/2015 at 12:34, Iphel said:

Hello,

 

Shouldn't have you used ADMT instead of robocopy ?

https://technet.microsoft.com/en-gb/library/cc974332(v=ws.10).aspx

I did not read the all article but i think you'd better use a migration tool to move your users from old AD to new AD.

Thanks. The user objects in AD isn't much of a problem, its the home folders and getting the permissions correct once they've copied.

 

  On 10/06/2015 at 05:41, Jared- said:

^ Yes you can use that tool to migrate AD objects from one forest to another. 

 

I think he's referring to home drives\user profiles. Do you use roaming profiles?

 

Either way, if you're going to do AD again, document everything, think everything through, and hopefully it won't be a mess like your current forest.

Good luck.

This is correct. We are currently using mandatory profiles but will be switching to roaming in the new forest.

The company we're buying the new server infrastructure from will also create the new forest for us, so I will expect good documentation to come with it.

[PaulATMOS]

As a matter of interest, which Windows Server are you using and migrating too? What kind of hardware?

[Daedroth]

  On 10/06/2015 at 08:43, freqnasty said:

As a matter of interest, which Windows Server are you using and migrating too? What kind of hardware?

We are currently a mix of Server 2003 and Server 2008.

We will be migrating to 2x virtual host servers. The virtual servers on these hosts will all be Server 2012.

[binaryzero]

  On 10/06/2015 at 07:33, Daedroth said:

Thanks. The user objects in AD isn't much of a problem, its the home folders and getting the permissions correct once they've copied.

 

This is correct. We are currently using mandatory profiles but will be switching to roaming in the new forest.

The company we're buying the new server infrastructure from will also create the new forest for us, so I will expect good documentation to come with it.

 

As long as you apply the correct NTFS permissions to each user folder, should be good to go. May be best to let a user profile get created when the user first logs onto the new domain, and then copy the contents of the existing user profile into the new one. I've come across some dodgy stuff when you try and correct an existing user profile folder to a new user (new SSID etc).

 

Either way, sounds like you'll be fine. 

[Daedroth]

  On 10/06/2015 at 11:13, Jared- said:

As long as you apply the correct NTFS permissions to each user folder, should be good to go. May be best to let a user profile get created when the user first logs onto the new domain, and then copy the contents of the existing user profile into the new one. I've come across some dodgy stuff when you try and correct an existing user profile folder to a new user (new SSID etc).

 

Either way, sounds like you'll be fine. 

The user profile and home folders are completely separate. Currently they pull down a mandatory profile and have their home directory mapped to H: (\\server1\share1).

We want to change this so it becomes a roaming profile and appdata (redirecting to \\newsan\share1\profiles or a DFS share) and also their home directory pointing to \\newsan\share1\homefolders or a DFS share).

 

So this won't affect the profile too much, as they'll be created a new one anyway, its simply the home folder files and folders we're worried about in terms of security.

[BinaryData]

  On 10/06/2015 at 09:58, Daedroth said:

We are currently a mix of Server 2003 and Server 2008.

We will be migrating to 2x virtual host servers. The virtual servers on these hosts will all be Server 2012.

 

This is a good change. I work in a Data Center, I cringe every time I see a Windows 2000 / 2003 Server. We've migrated most of our projects from 2008 to 2012, but budgets don't cover them all

 

Honestly, I would suggest taking an Active Directory class over the summer. It would help you tremendously. I haven't messed with AD since 2010. I hated it then, and will probably hate it now. Haha.

[sc302 Veteran]

AD is very easy...not sure what is to hate about it other than if you don't know it at all. 

 

Anywho....if you are migrating data to a new server I would suggest robocopy with the following switches:

 

/e /sec /mt:10 /log:%userprofile%\desktop\copy.log

 

This will copy all sub directories, all security information, will do a multithreaded copy taking 10 files at a time vs a single file at a time (usually maximizes bandwidth utilizing 80-100% of the pipe), log file is needed for multithreaded copy you can change the path if you choose as well as the log filename.  Robocopy will also do a compare by default, comparing what is there vs what is not and copying the files that aren't there or copying the newer file over. 

[fusi0n]

If it is truly a mess.. It may be best to start over.. How many users do you have? You could also make new domain, make a trust between the two domains and rebuild the new domain slowly and make sure everything is setup right. 

[BinaryData]

  On 10/06/2015 at 13:11, fusi0n said:

If it is truly a mess.. It may be best to start over.. How many users do you have? You could also make new domain, make a trust between the two domains and rebuild the new domain slowly and make sure everything is setup right. 

iirc, he stated it was a school that was doing the upgrading, so 200 - 2000 would be a "guesstimation"

[Daedroth]

  On 10/06/2015 at 13:07, sc302 said:

AD is very easy...not sure what is to hate about it other than if you don't know it at all. 

 

Anywho....if you are migrating data to a new server I would suggest robocopy with the following switches:

 

/e /sec /mt:10 /log:%userprofile%\desktop\copy.log

 

This will copy all sub directories, all security information, will do a multithreaded copy taking 10 files at a time vs a single file at a time (usually maximizes bandwidth utilizing 80-100% of the pipe), log file is needed for multithreaded copy you can change the path if you choose as well as the log filename.  Robocopy will also do a compare by default, comparing what is there vs what is not and copying the files that aren't there or copying the newer file over. 

Thanks for this. I have previously set up a test Server 2012 machine on its own domain, simply to test the Robocopy theory. I included some switches, but didn't know about the multithread but, so thanks for that!

 

  On 10/06/2015 at 13:11, fusi0n said:

If it is truly a mess.. It may be best to start over.. How many users do you have? You could also make new domain, make a trust between the two domains and rebuild the new domain slowly and make sure everything is setup right. 

We have approximately 800 users.

[fusi0n]

I'd just setup the domain from scratch, make a trust, migrate objects over.. demote the old DC..

[sc302 Veteran]

  On 10/06/2015 at 13:39, Daedroth said:

Thanks for this. I have previously set up a test Server 2012 machine on its own domain, simply to test the Robocopy theory. I included some switches, but didn't know about the multithread but, so thanks for that!

 

 

The log file is quite useful to.  It allows you to see what has failed...I usually do it twice to see if I can grab the files that it missed or failed (if any...you get stats at the bottom of the file) and so that the log file is much smaller to easily identify what has failed or was missed.  FWIW, Multitreaded copy was not included with robocopy until windows 7.

[Forjo]

For you new environment, may I suggest you ditch roaming profiles and use a combination of Group Policy to enforce settings, and folder redirection to make data portable?

 

Roaming Profiles is not compatible with Windows 8 settings synchronization, and it also results in log login and logoff times when users put a lot of data on their desktops or document folders.  Folder redirection eliminates this.

 

And even if you decide to use roaming profiles, redirect all user data so you don't have those long logins -- especially if you have users across a VPN.

 

As for the migration, keep in mind that your SIDS will change unless you migrate the AD objects in a way that AD is aware of.  If they do, your permissions won't work.

 

-Forjo

[binaryzero]

^ Pretty much agree with all of that.

[Daedroth]

  On 10/06/2015 at 14:12, Forjo said:

For you new environment, may I suggest you ditch roaming profiles and use a combination of Group Policy to enforce settings, and folder redirection to make data portable?

 

Roaming Profiles is not compatible with Windows 8 settings synchronization, and it also results in log login and logoff times when users put a lot of data on their desktops or document folders.  Folder redirection eliminates this.

 

And even if you decide to use roaming profiles, redirect all user data so you don't have those long logins -- especially if you have users across a VPN.

 

As for the migration, keep in mind that your SIDS will change unless you migrate the AD objects in a way that AD is aware of.  If they do, your permissions won't work.

 

-Forjo

I'm a little confused, but the plan was:

Point all users' profile data and appdata to a DFS share.

Will this be downloaded as the user logs in, or will it always live on the DFS share and that is accessed when the data is required?

[Forjo]

  On 15/06/2015 at 08:22, Daedroth said:

I'm a little confused, but the plan was:

Point all users' profile data and appdata to a DFS share.

Will this be downloaded as the user logs in, or will it always live on the DFS share and that is accessed when the data is required?

If by point you mean redirect, then it will live on the DFS share and get cached using the sync center.

 

I'm not aware of a process whereby you can set a default profile that is downloaded once. It sounds like something that can be done, but I've never used that.

 

I've found that using Group Policy to mandate whatever settings you want in combination with redirecting user data to the server (also using group policy) results in the most portability, fastest logins, and overall the best user experience.  The only downside is that users don't always resolve sync conflicts and need to be trained to do so.

 

If you are actually using roaming profiles (setting a path in the profile path field in AD U & C), then anything there will download the first time and be used locally. The problem is that it will also be updated when the user logs off. And subsequent logins will require validating the data for changes. If this data grows (as in the case of Documents and Desktop being part of the profile), logins can take longer. And the first time a user logs into a different computer, all of that data has to be downloaded again. You also run the risk of losing data if a user is logged into more than one place, changes data in one place, and logs off later in another.

 

To make matters worse, I've also lost data due to network or computer failures during the logoff process.  In short, I won't use roaming profiles anymore. And the fact that you can't use Windows 8 OneDrive settings sync with it seals the deal.

 

-Forjo

[xbamaris]

If you do AppData dont have it transfer the AppData/Local folder... that's where the real meat comes from for profiles... That stores mostly all cache'd data from Chrome / IE and other non essential things, granted however things such as favorites or recently visited sites won't be saved but truthfully I dont think that should be an issue on "public" computers (I used public considering multiple students would be using it)

 

 

Depending on your infrastructure, Roaming profiles can work and can be useful. I use a mix of Roaming Profiles and Folder Redirection. Then unload the profile from the computer on logoff. 

 

Granted this works mostly because we only have a few desktops and each user basically only uses that single machine.

[sc302 Veteran]

Roaming profiles do not work with large profiles.  Too much data being transferred to be effective...when it takes users several minutes to a half hour to log off and log on, this is no longer an acceptable method to use.  Folder redirection, you can turn off offline folders which allows this to be a fast log off and log on process (data only stored on server, not cached on local machine).    Servers go down far less than computers, so it is a safer bet to do that.  Also servers get backed up, usually once a day, sometimes more, this helps against a disaster where a user would lose their data.

[Daedroth]

  On 15/06/2015 at 14:06, Forjo said:

If by point you mean redirect, then it will live on the DFS share and get cached using the sync center.

 

I'm not aware of a process whereby you can set a default profile that is downloaded once. It sounds like something that can be done, but I've never used that.

 

I've found that using Group Policy to mandate whatever settings you want in combination with redirecting user data to the server (also using group policy) results in the most portability, fastest logins, and overall the best user experience.  The only downside is that users don't always resolve sync conflicts and need to be trained to do so.

 

If you are actually using roaming profiles (setting a path in the profile path field in AD U & C), then anything there will download the first time and be used locally. The problem is that it will also be updated when the user logs off. And subsequent logins will require validating the data for changes. If this data grows (as in the case of Documents and Desktop being part of the profile), logins can take longer. And the first time a user logs into a different computer, all of that data has to be downloaded again. You also run the risk of losing data if a user is logged into more than one place, changes data in one place, and logs off later in another.

 

To make matters worse, I've also lost data due to network or computer failures during the logoff process.  In short, I won't use roaming profiles anymore. And the fact that you can't use Windows 8 OneDrive settings sync with it seals the deal.

 

-Forjo

Right, OK.

 

Basically, I want the following set in Group Policy (in User Config > Windows Settings > Folder Redirection)

 

Setting: Basic - Redirect to the following location

Target folder location: Create a folder for each user under the root path

Root path: \\DFSSHARE\Profiles\%username%

 

If we used normal (.DAT), not mandatory profiles and if I set that for all the folder redirection options, would that be an acceptable way of managing profiles?

[Forjo]

  On 15/06/2015 at 14:51, Daedroth said:

Right, OK.

 

Basically, I want the following set in Group Policy (in User Config > Windows Settings > Folder Redirection)

 

Setting: Basic - Redirect to the following location

Target folder location: Create a folder for each user under the root path

Root path: \\DFSSHARE\Profiles\%username%

 

If we used normal (.DAT), not mandatory profiles and if I set that for all the folder redirection options, would that be an acceptable way of managing profiles?

I don't know about the .dat part. But that's exactly the policy I'm talking about. Also, read the two responses above this - they're spot on. If you have good network infrastructure online-only redirection can work really well.

 

You haven't mentioned -- will you have Windows 8+ on the desktops?  If so, you'll want to set up linked Microsoft accounts for settings sync. Otherwise, the mix of roaming profiles and redirection can work really well -- just be careful of the roaming appdata folder -- it can ruin your day.

 

-Forjo

[Daedroth]

  On 15/06/2015 at 16:09, Forjo said:

I don't know about the .dat part. But that's exactly the policy I'm talking about. Also, read the two responses above this - they're spot on. If you have good network infrastructure online-only redirection can work really well.

 

You haven't mentioned -- will you have Windows 8+ on the desktops?  If so, you'll want to set up linked Microsoft accounts for settings sync. Otherwise, the mix of roaming profiles and redirection can work really well -- just be careful of the roaming appdata folder -- it can ruin your day.

 

-Forjo

It appears that they'll now be using Windows 7.

We are getting a new network infrastructure in place (10GB backbone with 1GB link to each desktop, plus a wireless N coverage).