Create New Domain Tree vs Create New Forest?

-

hi,

i have scenario our company has changed it's name, , we've been tasked set new domain corresponding new name (this largely purposes of management not seeing name of old company on they're logging into.  from point of view, we're 'ok' part migration if makes less work and/or simpler migration.  i.e. part-migration mean we would be comfortable leaving elements/servers in old domain, trusts new domain.  

my question is- considered, should go for:

1) new root domain in same forest; or 2) new forest, new domain.  with trust between new forest , old forest.

what more work? more complicated? 

example notes:

    • domain1.local (already exists) functional level:  server 2003.  exchange 2003
    • newdomain.local (either new root domain in existing forest, or new domain in new forest) intended functional level: server 2008 r2, exchange 2010.  intent is that existing , future mailboxes migrate exchange 2010 , exchange 2003 retired.  
    • same network infrastructure used have allocated different subnets (which can vlan'ed off) new domain.

    this summation of our environment: we have approx 150 users (+mailboxes).  4 offices in geographically different locations (each office ad site, domain controller in each).  current exchange 2003 env. has sole fe server , 1st server hosted in 1 site, 2nd exchange server in site. (two remaining sites have no exchange servers)

    questions:

    1. i hoping provide guidance path should take.  are there guides can point me to?
    2. i'm aware introducing 2008 dc 2003 functional level environment, mean first need adprep /forestprep , /domain prep.  but required in scenario if introducing new -and first- domain controller new root domain in same forest?  or introduction of first dc create correct ad 2008 schema without need adprep?
    3. is using different subnet , switch vlan sufficient separate old , new domains, e.g. devices in new domain not register dns or dhcp server of old domain?  ultimately though, still want level of domain trust users in new domain can still access servers remain in old domain (either remain permanently or during transition).

any other pointers appreciated.

thanks!


thank both feedback.

so key consideration when using admt either new root domain tree in same forest or new domain in new forest, appears this:

  • interforest active directory domain restructure -- when migrate objects between forests both source , target domain environments exist simultaneously. makes possible roll source environment during migration, if necessary.
  • intraforest active directory domain restructure -- when restructure domains in forest, migrated accounts no longer exist in source domain. therefore, rollback of migration can occur when carry out migration process again in reverse order

my questions thus:  

where refers " when migrate objects between forests both source , target domain environments exist simultaneously" - mean when migrate account new forest, account still exist in duplicate in old domain?  not sure understand definition. 

yes, that's correct. that's because interforest migration "copies" user , group accounts. and after migrate batch of users or groups in scenario, if don't them, can trash them , over. however, migrating computer accounts 1 shot deal, after make sure user , groups migrated properly.

.

as far trusts concerned, there difference in trust level between domains in different forests versus trust between domains in same forest?  again, i'm trying ascertain option have least impact in terms of work involved , ongoing support.  if both trusts offer same net result in terms of permissions (as mentioned servers/service may have remain on old domain), agree mr x things equal, clean slate better approach.

no difference, can use either. forest trusts highly preferred , dns based. if connecting 2 across router, if use ntlm trusts, need netbios support. , agree mr x - clean slate better choice.

and if you're going co-exist 2 while migration going, of course depends on if can migrate on 1 weekend or not, need to enable sidhistory new users in new domain can still access resources in old domain, such servers, printers, echange mailboxes, etc. here's more on trust , sidhistory:

admt: configure trusts sidhistory
http://setspn.blogspot.com/2010/05/admt-configure-trusts-for-sidhistory.html

here's flowchart of needs done:
http://www.sivarajan.com/admt.html

.

am correct in saying interforest domain trusts implicit , automatically created between domains when new root tree domain created in existing forest ?(whereas intraforest trusts manually applied).  

i don't understand question.

note: "intra"forest means within forest, , "inter"forest means between 2 separate forests.

therefore, mean want create new tree in same forest? if so, new tree within existing forest, , trusts within forest, automatically created creation of new child domain or tree, and they all automatic two-way, transitive trusts, trusts within forest.

if mean want create brand new domain in brand new forest, no, there no trusts created automatically between different forests, 2 completely, separate entities.

in scenario, highly suggest new forest , migrate it. creating additional tree in existing forest vastly complicate long haul, , besides, old name there, because can't dump original forest root domain.

.

regarding networking question, sufficient vlan off segment off network , long new domain/forest setup on new designated subnet range (but still on same network , infrastructure) - provide appropriate level of segregation between domains?

i think best scenario, because it will give opportunity new organization have own dhcp services, dns servers, setting dhcp options specific servers it's own infrastructure. if on same subnet, more difficult , complex manage.

.

i appreciate patience might appear trivial/basic questions.  unfortunately, although maintain exchange , ad environment (and little of networking), have never done ad migration or created new domain.

as exchange, complicates it, too, it's not bad say. yes, it's complex, don't me wrong, once co-existence working, it's smooth sailing. suggest post exchange migration questions exchange forum specific assistance:
http://social.technet.microsoft.com/forums/en-us/exchange2010/threads

.

just suggestion... i think better off hiring consulting company has performed multiple migrations in past. way takes guesswork out of on part, , transition smooth , efficient possible. if come roadblocks in middle of it, or complexity arise, forums may not be the best due immediate assistance may need , availbility of in forum responding on timely basis.

.

thanks!

p.s. sandesh - regarding sample suggestion, dead link.  would able repost? 
sample user/computer migration steps.
http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html


this 404 link, because jorge migrated data new blog. 
migrating stuff admtv3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/migrating-stuff-with-admtv3.aspx

and don't have link new blog.

.

and luck!

.

ace fekay
mvp, mct, mcitp/ea, mcts windows 2008/r2 & exchange 2007, exchange 2010 ea, mcse & mcsa 2003/2000, mcsa messaging 2003
microsoft certified trainer
microsoft mvp - directory services
technical blogs & videos: http://www.delawarecountycomputerconsulting.com/

this post provided as-is no warranties or guarantees , confers no rights.

facebook twitter linkedin



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more