Windows 2003.. big fat domain issue.. how to fix?

[brxndxn]

Okay.. so I have 3 domains.. and one went down.. (there was no backup.. not my fault because it's not my job)

we're gonna call them.. d1, d2, d3

d1 is the first one made..
then d2..

d1 and d2 fully trust each other

d3 came along.. d3 doesn't trust either d1 or d2
d1 and d2 both trust d3

d1 dies.. completely irrecoverable

so then I rebuilt d4.. with the same name as d1.. and reestablished the trust relationships..

now.. I have a bunch of machines authenticated to d1.. how do I instantly authenticate them to d4 without it creating new local user profiles for everyone?

 

[DrGreen2007]

I dont think you can do that very easily, the SID is going to be different, even though the domain name is the same,
Youll have to put each PC into a workgroup, then put back into the new domain.
Local User Profiles will probably be recreated as well when they log back into the PC on the 'new' domain

 

[brxndxn]

Originally posted by: DrGreen2007
I dont think you can do that very easily, the SID is going to be different, even though the domain name is the same,
Youll have to put each PC into a workgroup, then put back into the new domain.
Local User Profiles will probably be recreated as well when they log back into the PC on the 'new' domain

Okay.. so what is the best way to seamlessly copy the old user profiles to new ones so they don't lose email and other random settings?

 

[drebo]

This is why backup domain controllers are a really, really good idea, as well as comprehensive system state backups.

You can't automatically recreate the user profiles. You will have to recreate each and every one by hand. If you're running Exchange, you should be able to reattach the old mailboxes to the new user accounts.

 

[DrGreen2007]

You can try the USMT (User State Migration Tool) from MS, but Im not sure if it works with the DC being down
Otherwise there are a few methods to 'migrate' the user..
- add machine to new domain
- log on users account...profile will be created useraccount.DC1
- change the registry to point to the new useraccount folder.

There are a bunch of write ups on the net on how to do that.
You could also possibly setup a temp SBS domain for the DC1, which migrates profiles for you, then move off DBD and onto the new DC1

 

[Red Squirrel]

I've done this at home, it's hit or miss: (not to mention would be a very long process to do with many machines unless you can find a way to script it)

1: Reboot machine to ensure all profiles are released
2: Log in as local admin (do not log into any other user, go straight as local admin)
3: rename user's profile to like .bak or something
4: Remove pc from domain, reboot
5: log in as local admin again, re-add to domain, reboot
6: log in as user, allow to load desktop and stuff, reboot
7: log in as local admin, verify that the new user's profile was created, rename the old profile from .bak to the name of the profile just created while deleting this new profile
8: Go to the properties of the old profile and reassign NTFS permissions (you should see a sid instead of a username)

It's important to never log as the user in the middle of this process though, except for in step 6. I've even seen where you can rename the profile right off the bat and skip step 6, but I usually do it to be sure.

It *should* work, but I've seen this be hit and miss and in a corporate environment things always seem to get 10x more complicated due to crappy legacy software. If anyone knows of the company called CGI you know what I'm talking about. Outsourcing programming FTL.

Also you'll run into weird profile setups where the user has like 3 different profiles and they all tie into each other. This gets REAL nasty.