#158277 - 2006-03-04 04:42 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
I think he is talking to me... I hear all of what you are saying guys, I'm going to be stubourn and say I am definately going do this in a script. I got a search script for the user almost working properly just needs a few more tweaks. I will adjust it to do the same thing but for computer. If I can i will see if it possible as a udf. ie ismigrated(olddomain,newdomain) but its too soon to start speaking like that. I appreciate all your guys help so far!
|
Top
|
|
|
|
#158278 - 2006-03-04 06:00 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
If your computer reports that @domain is the old domin than the computer was NOT migrated and the computer is still in the old NT4 domain.
I have eliminated a hundred NT4 domains and you need to force people to use the AD user account. Disable the NT4 user accounts that have been migrated. Remediate and logon problems that crop up.
Then in the AD user's logon script check @domain. Any computer reporting the NT4 domain needs to be moved from the NT4 domain to the AD.
Check into Netdom.exe.
If you follow this process you will successfully complete your migration in short order. I can not speak more strongly on this subject without being rude.
|
Top
|
|
|
|
#158280 - 2006-03-04 07:20 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
I do hear you Les but let me describe our environment. About 70% of the machines have touch screens with no keyboards, these particular pc's take about 30 -45 minutes to complete migration vs a p4 which takes about 5 minutes. The users already sulk when we have down time, So any issues that will arise can become a major headache for me. Also we have about 1000 of these machines and only 2 IT staff on duty per shift. I really don't want to work hard. In addition, if something doesn't work then we would rather they revert back untill we resolve the problem, therefore deleting the old computer account might just make it worse because it take away this option.
Re: Howard, my pc was definatly migrated and the computer accounts exists on both domains. I really don't know why @Domain sometimes reports the incorrect domain. I suppose the only way to really test if it was properly migrated would be to remove the trusts... That would be bad at this stage. Also that doesn't then ensure that there is a user account for them in the new domain. So I would still need to do that check. (Which have working now just the computer search remains). If I an can confirm that @Domain is giving an accurate result then that would mean a lot of the machines we have already migrated are not done properly. Maybe I could use this to verify if the migration was a success and not a flop which maybe my pc is? How does @domain determine where your computer account resides?
|
Top
|
|
|
|
#158281 - 2006-03-04 08:28 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Here is my work in progress, still got a bit to do. Two scripts, 1 to confirm user account migrated, other to confirm computer account migrated. Like to know if I can use @domain to verify a successfull migration... $sDomain and the logfile path need to be configured. Must still consolidate into single script. Have not included the forced loggoff yet.
Find User:
Code:
Dim $Con ;(As ADODB.Connection) Dim $Cmd ;(As ADODB.Command) Dim $Rs ;(As ADODB.Command) Dim $Root ;RootDSE for Domain - cannot be dynamic because you not logged onto AD Dim $sDomain ;Configure RootDSE $sDomain = "DC=playtime,DC=playing,DC=com" Dim $OU Dim $Domain Dim $sADsPath Dim $sFilter Dim $sAttribsToReturn Dim $sDepth Dim $strCount Dim $UserLog $UserLog = "\\host\INCOMING\MIGRATIONLOG.TXT"
$strName = @UserID If $strName = "" ? "No username was specified. " Exit Else ? "Searching for User Account Name: " + $strName EndIf
; Create ADO connection object for Active Directory $Con = CreateObject("ADODB.Connection") If (@Error <> 0) ? "Error Creating Connection Object" Exit Else ? "Successfully Created ADO Connection Object" EndIf
$Con.Provider = "ADsDSOObject" If (@Error <> 0) ? "Error Setting Active Directory Provider" Exit Else ? "Successfully Set Active Directory Provider" EndIf
$Con.Open "Active Directory Provider" If (@Error <> 0) ? "Error Opening Active Directory Provider" Exit Else ? "Successfully Opened Active Directory Provider" EndIf
; Create ADO command object for the connection. $Cmd = CreateObject("ADODB.Command") If (@Error <> 0) ? "Error Creating ADO Command Object" Exit Else ? "Successfully Created ADO Command Object" EndIf
$Cmd.ActiveConnection = $Con If (@Error <> 0) ? "Error Assigning Connection" Exit Else ? "Succesfully Assigned Connection" EndIf
;$OU = "OU=Tsogo Domain Users,OU=MTC"
$Domain = GetObject("LDAP://" + $sDomain) If (@Error <> 0) ? "Error Connecting to Domain: " + $sDomain Exit Else ? "Succesfully Connected to Domain: " + $sDomain EndIf
$sADsPath = "<" + $Domain.ADsPath + ">" If (@Error <> 0) ? "Error setting ADsPath" Exit Else ? "Succesfully set ADsPath: " + $sADsPath EndIf
;(objectCategory=computer) ; Build the filter element of the commandtext If ($strName = "") ? "Error Nothing in Search String" Exit Else ;(&(objectCategory=computer)(|(name=leased*)(name=corp*))) $sFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" + $strName + "))" ? "Search String: " + $sFilter EndIf
; Build the returned attributes element of the commandtext. $sAttribsToReturn = "sAMAccountName"
; Build the depth element of the commandtext. $sDepth = "subTree"
; Assemble the commandtext. $Cmd.CommandText = $sADsPath + ";" + $sFilter + ";" + $sAttribsToReturn + ";" + $sDepth If (@Error <> 0) ? "Error in Query Command Text" Exit Else ? "Successfull Query Command Text: " + $Cmd.CommandText EndIf
; Execute the query. $Rs = CreateObject("ADODB.Recordset") If (@Error <> 0) ? "Error Creating Recordset Object" Exit Else ? "Successfully Created Recordset Object" $Rs = $Cmd.Execute EndIf
$strCount = $rs.RecordCount If ($strCount > 0) ? "Found " + $strCount + " Accounts. User " + $strName + " Account has been migrated " Sleep 2 If Open( 3 , $UserLog , 5 ) = 0
$x = WriteLine( 3 , "UserMigrated " + " " + @USERID + " " + @DATE + " " + @TIME + @CRLF)
Else
BEEP
? "failed to open file, error code : [" + @ERROR + "]"
EndIf Else ? "Unable to find any username on AD for " + $strName If Open( 3 , $UserLog , 5 ) = 0
$x = WriteLine( 3 , "UserNotMigrated " + " " + @USERID + " " + @DATE + " " + @TIME + @CRLF)
Else
BEEP
? "failed to open file, error code : [" + @ERROR + "]"
EndIf Exit EndIf
Find Computer:
Code:
Dim $Con ;(As ADODB.Connection) Dim $Cmd ;(As ADODB.Command) Dim $Rs ;(As ADODB.Command) Dim $Root ;RootDSE for Domain - cannot be dynamic because you not logged onto AD Dim $sDomain ;Configure RootDSE $sDomain = "DC=playtime,DC=playing,DC=com" Dim $OU Dim $Domain Dim $sADsPath Dim $sFilter Dim $sAttribsToReturn Dim $sDepth Dim $strCount Dim $ComputerLog $ComputerLog = "\\host\INCOMING\MIGRATIONLOG.TXT"
$strName = @WKSTA If $strName = "" ? "No computer name was specified. " Exit Else ? "Searching for Computer Account Name: " + $strName EndIf
; Create ADO connection object for Active Directory $Con = CreateObject("ADODB.Connection") If (@Error <> 0) ? "Error Creating Connection Object" Exit Else ? "Successfully Created ADO Connection Object" EndIf
$Con.Provider = "ADsDSOObject" If (@Error <> 0) ? "Error Setting Active Directory Provider" Exit Else ? "Successfully Set Active Directory Provider" EndIf
$Con.Open "Active Directory Provider" If (@Error <> 0) ? "Error Opening Active Directory Provider" Exit Else ? "Successfully Opened Active Directory Provider" EndIf
; Create ADO command object for the connection. $Cmd = CreateObject("ADODB.Command") If (@Error <> 0) ? "Error Creating ADO Command Object" Exit Else ? "Successfully Created ADO Command Object" EndIf
$Cmd.ActiveConnection = $Con If (@Error <> 0) ? "Error Assigning Connection" Exit Else ? "Succesfully Assigned Connection" EndIf
$Domain = GetObject("LDAP://" + $sDomain) If (@Error <> 0) ? "Error Connecting to Domain: " + $sDomain Exit Else ? "Succesfully Connected to Domain: " + $sDomain EndIf
$sADsPath = "<" + $Domain.ADsPath + ">" If (@Error <> 0) ? "Error setting ADsPath" Exit Else ? "Succesfully set ADsPath: " + $sADsPath EndIf
;(objectCategory=computer) ; Build the filter element of the commandtext If ($strName = "") ? "Error Nothing in Search String" Exit Else ;(&(objectCategory=computer)(|(name=leased*)(name=corp*))) $sFilter = "(&(objectCategory=computer)(objectClass=computer)(name=" + $strName + "))" ? "Search String: " + $sFilter EndIf
; Build the returned attributes element of the commandtext. $sAttribsToReturn = "name"
; Build the depth element of the commandtext. $sDepth = "subTree"
; Assemble the commandtext. $Cmd.CommandText = $sADsPath + ";" + $sFilter + ";" + $sAttribsToReturn + ";" + $sDepth If (@Error <> 0) ? "Error in Query Command Text" Exit Else ? "Successfull Query Command Text: " + $Cmd.CommandText EndIf
; Execute the query. $Rs = CreateObject("ADODB.Recordset") If (@Error <> 0) ? "Error Creating Recordset Object" Exit Else ? "Successfully Created Recordset Object" $Rs = $Cmd.Execute EndIf
$strCount = $rs.RecordCount If ($strCount > 0) ? "Found " + $strCount + " Accounts. Computer " + $strName + " Account has been migrated " Sleep 2 If Open( 3 , $ComputerLog , 5 ) = 0
$x = WriteLine( 3 , "ComputerMigrated " + " " + @WKSTA + " " + @DATE + " " + @TIME + @CRLF)
Else
BEEP
? "failed to open file, error code : [" + @ERROR + "]"
EndIf Else ? "Unable to find any username on AD for " + $strName If Open( 3 , $ComputerLog , 5 ) = 0
$x = WriteLine( 3 , "ComputerNotMigrated " + " " + @WKSTA + " " + @DATE + " " + @TIME + @CRLF)
Else
BEEP
? "failed to open file, error code : [" + @ERROR + "]"
EndIf Exit EndIf
|
Top
|
|
|
|
#158282 - 2006-03-04 10:10 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Quote:
I really don't know why @Domain sometimes reports the incorrect domain. I suppose the only way to really test if it was properly migrated would be to remove the trusts...
Wrong!!!
You could: 1. Use NLTEST.exe to verify to which DC the workstaion is connected for its secure channel. If it is in the AD domain it will say so and you should delete the computer account from the NT4 domain. nltest /parentdomain
will tell you the domain of membership.
nltest /sc_verify:DomainName will verify your workstaion trust to the domain
2. Simply delete the computer account from the old domain. If you can continue to logon to AD then everything is fine. If not use Netdom.exe to have your computer join the new domain.
You do not play around with the domain TRUSTs until you are ready to decommission the old domain. The trust affect affects authentication form the AD to all computers in the old domain. You only need to address individual computers.
|
Top
|
|
|
|
#158283 - 2006-03-04 10:24 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
There seems to be a logic flaw in the way you expect to use your code. Accounts can exist in multiple domain but the necessary processing and communication to the user may not yet have occurred.
You need to be in control of the migration process. that means that you TELL the user when his account is migrated instructing them on the new logon procedure that should be used on a particular date. On that date you disable the user account in the old domain.
I would suggest that you migrate the users and computers as two separate processes.
What operating systems are you trying to migrate to the AD domain? That fact may alter the processes and tools used to accomplish the task.
You can then use NETDOM to remotely change the workstation membership to the AD domain. Code:
NETDOM MOVE machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/UserF:user] [/PasswordF:[password | *]] [/REBoot[:Time in seconds]]
NETDOM MOVE Moves a workstation or member server to a new domain
machine is the name of the workstation or member server to be moved
/Domain Specifies the domain to which the machine should be moved. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user
/UserD User account used to make the connection with the domain specified by the /Domain argument
/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password
/UserO User account used to make the connection with the machine to be moved
/PasswordO Password of the user account specified by /UserO. A * means to prompt for the password
/UserF User account used to make the connection with the machine's former domain (with which the machine had been a member before the move). Needed to disable the old machine account.
/PasswordF Password of the user account specified by /UserF. A * means to prompt for the password
/OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain.
/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Move has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds
When moving a downlevel (Windows NT version 4 or before) machine to a new domain, the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to.
When moving a machine to a new domain, the old computer account in the former domain is not deleted. If credentials are supplied for the former domain, the old computer account will be disabled.
The act of moving a machine to a new domain will create an account for the machine on the domain if it does not already exist. Code:
NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]
NETDOM JOIN Joins a workstation or member server to the domain.
machine is the name of the workstation or member server to be joined
/Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user
/UserD User account used to make the connection with the domain specified by the /Domain argument
/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password
/UserO User account used to make the connection with the machine to be joined
/PasswordO Password of the user account specified by /UserO. A * means to prompt for the password
/OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain.
/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds
Windows Professional machines with the ForceGuest setting enabled (which is the default for machines not joined to a domain during setup) cannot be remotely administered. Thus the join operation must be run directly on the machine when the ForceGuest setting is enabled.
When joining a machine running Windows NT version 4 or before to the domain the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to.
The act of joining a machine to the domain will create an account for the machine on the domain if it does not already exist.
|
Top
|
|
|
|
#158284 - 2006-03-05 06:29 PM
Re: Need Help with ADSI
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
Hi Howard, thanks for pointing me in this direction. Been looking at NLtest and I'm getting the same results as @Domain. I.e. NLTest /parentdomain reports my parent domain as the old domain. Now I'm convinced I have a few failed migrations.
Please tell me if you agree. If @domain reports the old domain name then the machine is not migrated properly even if there is a computer account for the machine in the new domain.
If this is correct then can I use this simple function to do this check.
Code:
Function IsMigrated($NewDomain) If @Domain = $NewDomain $IsMigrated = 1 Else $IsMigrated = 0 EndIf EndFunction
|
Top
|
|
|
|
#158286 - 2006-03-05 10:53 PM
Re: Need Help with ADSI
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
I think that your function will identify workstaions that need migrated.
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 259 anonymous users online.
|
|
|