One of our users lost access to her home folder recently, it was a permission denied problem that cropped up for no apparent reason. Subinacl sorted it without fuss.
Is there any need to do anything other than remove all client PCs and servers out of the old domain and into a workgroup?
One of our ICT people suggested that I need to give local admin ownership of the C$ share on all machines. Do I need to do this?
It has this by default. If it has been configured differently, figure out why. My gut tells me that stuff will break during your migration if OLDDOMAIN\Domain Admins are the only accounts that can properly control a machine.
Some more things that I'd investigate before the migration:
- Have you considered the effect of changing GPO scope will have on your machines? If use GPO Software Installation you may loose the ability to use GPOSI to uninstall applications if you loose the original GPO that installed it.
- Will the paths to the msi's remain the same? If the msi was on a network share and the client has not cached the install files, you will not be able to unistall/repair or patch previously deployed applications properly if that UNC path is not available.
- Is the av update account a domain account or Local account? Is the AV Server changing significantly?
- moving between WSUS servers doesn't always go well and sometimes you need to reset the SoftwareDistribution folder.
- W7 uses Offline files a lot. I believe permissions to them are tied to user SIDs. Have you tested the impact to users trying to access files in the client side cache once they are in the new domain?
- Do any machine local groups contain domain members? This can lead to STOP errors (certainly in XP, haven't much experience with Vista/7) if they remian after a machine has left a Domain.
- Do any ACE's on client devices reference Domain accounts? This can lead to delays in certain UI features, possibly other unexpected effects to.
- Has your Web Filtering product been tested against the new domain? (I believe there can be gotchas with the increased level LDAP security in W2K8)
- Do you have any Enterprise certificates? You will get warnings in your logs if they remain on the clients once the old CA goes.
I've been given next to no support over this by line management, except for platitudes stating it won't be an issue. I'm flying by the seat of my pants on this one.
I have a strict four working day window in which to do this, and that includes strpping down the cabs, modifying them, installing new UPS', etc, as well as the actual domain migration work.
I'm trying to deal with issues as they arise in my mind but, like you, I'm convinced it'll all go pear shaped for lots of reasons. And no fingernails left to chew!
Do you really have to do whole migration in this window?
Either way, if you haven't already, spin yourself up a virtual environment with a 'bare metal' restore of your two domains and a client. Then run through the migration testing all the aspects that concern you.
At worst you might discover a show-stopper (for example it can be done in the time available), saving you the stress and grey hairs over the Christmas break.
On the other hand you may only find a couple of minor trip hazards, and you can stop worrying as you then *know* it will work.