Thursday, March 29, 2007

Be Master Of Your Domain(s)

Well, I blowed up the server at my church real good. Actually, the hard drive went and I hadn't been keeping religious (ha-ha) backups, so a lot of stuff went bye-bye. The most unfortunate thing of all was that the server was master domain controller for the Active Directory network. In fact it was the only one.

When I resurrected (ha-ha) the server I created a new domain for it to master. I wasn't quite sure what the consequences of bringing a server back under the same domain would be for all the users, so I let them continue to log in with their old credentials.

Once I got the server back up and running I was faced with the daunting task of moving everybody over to the new domain. This generally means recreating their accounts on the server and then copying the contents of their old documents and settings folder over to their new documents and settings folder. This may copy stuff over but generally all the settings will be out of whack -- icons not where they are supposed to be, wallpaper and colors don't look right. I'm not quite sure that Outlook is all the same when you switch over, either.

Then I discovered a nice little registry hack on the Microsoft web site. After switching a computer or two over using this method I was able to get the entire process down to about ten minutes per computer. A synopsis of the steps:
  • Log in on the computer under the local admin account.
  • Back up the contents of the docs and settings folder of the old domain account.
  • Change the computer identity to be under the new domain. You'll need the domain admin account info to do this, of course. Note -- once you do this, the user will not be able to access their documents and settings folder using their credentials from the old domain.
  • After you've successfully joined the new domain you'll be prompted to reboot the computer. Do it.
  • When logging in again, log in with the domain admin account.
  • Go to the computer management for the computer. Under users and groups, open the "administrators" folder under "groups."
  • Add the domain account for the user to the admin group. Sorry, I know this probably violates some folk's domain policies, but if you don't do this the new account has a really hard time getting to the new folder.
  • Log out.
  • Log on to the computer using the new domain account.
  • Log out.
  • Log on to the computer using the domain admin account.
  • During the last log on using the new domain account a registry setting was added to the computer for that account. Crack open regedit.
  • Go here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  • Under this folder you'll see a handful of other folders with cryptic names. These are settings folders for all the accounts that have logged onto the machine. In each of these folders is a setting called "ProfileImagePath." Find the folder that as the location of the old domain account docs and settings folder in there. For example, if the user name is "mavickers" look for %system root%\documents and settings\mavickers. Often times the domain name will have been appended after the username with a period. "mavickers.olddomain", for instance.
  • Copy the old ProfileImagePath location to the clipboard.
  • Find the folder corresponding to the new domain account you've created. Generally it will be the last or next to last folder in the list.
  • Open the ProfileImagePath setting for the folder and paste the value from the old account into it.
  • Close regedit.
  • Go to the documents and settings folder for the old domain account and open it's properties.
  • Go to the security tab.
  • Add the new domain account to the list on this tab.
  • Give that account full access.
  • Click the advanced button and at the next window click that checkbox at the bottom which tell it to apply the security settings to all the children of that folder.
  • Click OK until you're back out at the desktop.
  • Log off.
  • Pray.
  • Log in with the new domain account.
  • Voila, everything should look just as it did before.
The only thing I've noticed that doesn't work exactly right is that email passwords in Outlook do not carry over -- you have to reenter them. Oh well.

Beyond all of this KEEP GOOD BACKUPS. Since this disaster I've moved all data to an external RAID 1 enclosure which is backed up nightly to Amazon's S3 service using S3 Backup.

1 comment:

Anonymous said...

Cool explanation. Hopefully I will never have to sue it but will keep this in the back of my brain somewhere