Migrating Microsoft AD Domain to Existing BIND9 Infrastructure

MS Networking Dude justaskme at hotmail.com
Tue Feb 15 05:44:27 UTC 2005 

In news:cujai4$un3$1 at sf1.isc.org,
Millar, Jay <Jay.Millar at stjohn.org> made a post then I commented below
> To clarify, there are actually three domains involved:
>
>   domain.com - static, BIND9 master server A
> ad.domain.com - dynamic, AD domain, BIND9 master server A
>    other.com - dynamic, AD domain, MS DNS master server B
>
> We do in fact want to migrate the hosts in the 'other.com' domain to
> our = existing 'ad.domain.com' domain using AD with our BIND9 master.
> The 'ad.= domain.com' is an existing AD domain which we have managed
> using BIND9 fo= r several years.  In the end, we will have
> accomplished consolidation of = our internal domain space (which will
> greatly simplify things for us), as= well as having eliminated our MS
> DNS server infrastructure (which most o= f us here see as a very good
> thing).
>
> So, my theory was that the migration from one domain to the other
> would s= imply involve 'unregistering' systems in the 'other.com'
> domain, then re-= registering them as new systems in 'ad.domain.com'
> one at a time.
>

To simplify things , I believe you need to concentrate on an AD migration 
priort to your DNS migration. Keep in mind, any MS DNS server will host any 
domain name, whether the machine is a member or a DC of that domain or not, 
so it may be better to stick with MS DNS for the current migration until 
your AD migration is successful, or it will just put another wrench in the 
works.  Simply changing the domain that the workstations are joined to will 
have numerous implications on the client end, especially the users losing 
their current profiles.

You'll also need to look at if Exchange is involved as well. If the current 
Exchange system on other.com will continue to host mail for the migrated 
users on their "changed domain" machine accounts to ad.domain.com. you will 
need to make provisions for that as well. Depending on how many seats you 
have will dictate the best migration method.

The ADMT (AD Migration Tool) will handle all the above. You will need to 
migrate the user accounts, groups, and machine accounts into the new domain. 
You can use this tool or better yet, the Exmerge tool, to migrate their 
mailboxes (if they are using Exchange). The machine migration will disjoin 
and join it to the new domain automatically for you. Plus there is a 
security translator wizard that will allow the new user account in the new 
domain to use the old profiles on the clients. You will also want to opt to 
keep the SIDHistory, which will allow the new users on the new domain to 
access the old resources on the old domain until you migrate those resources 
over as well.Once done, you can clean the SIDHistories.

Once this is all done, as Barry pointed out, you can just slave the zones 
over to your BIND servers, change all the DNS references in their IP 
properties to use the BIND servers, and you should be good to go.


-- 
Ace

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

More information about the bind-users mailing list