Trust among 3 forests?
-
Saturday, November 17, 2012 7:58 PM
2 companies have merged. Each company has a single forest and single domain. I am thinking of creating a new separate forest and domain that would contain all of the employee user accounts... and then have the old domains that each company had prior to the merger be a resource domain... and each trust the new user domain. Is this possible?
I'm thinking of the old NT master domain model... and seeing how I could implement something similar now that I have forests in the picture. Yes, I'm old.... got my MCSE in NT 4.0. Any new tricks for this old dog?
- Moved by Santosh BhandarkarMicrosoft Community Contributor, Moderator Sunday, November 18, 2012 2:25 AM DS related (From:General)
All Replies
-
Sunday, November 18, 2012 2:31 AMModeratorThread has been moved to DS forum.
Regards, Santosh
I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Whenever you see a helpful reply, click onVote As Helpful & click on
Mark As Answer if a post answers your question.
-
Sunday, November 18, 2012 7:26 AM
Hi,
Yes, it is possible. To do so you need to use ADMT tool. For more info I suggest you to check the following links.
ADMT Guide: Migrating and Restructuring Active Directory Domains
-
Sunday, November 18, 2012 2:27 PMModerator
2 companies have merged. Each company has a single forest and single domain. I am thinking of creating a new separate forest and domain that would contain all of the employee user accounts... and then have the old domains that each company had prior to the merger be a resource domain... and each trust the new user domain. Is this possible?
I'm thinking of the old NT master domain model... and seeing how I could implement something similar now that I have forests in the picture. Yes, I'm old.... got my MCSE in NT 4.0. Any new tricks for this old dog?
NT4.0 can't have trust with windows 2008 R2 servers. One way trust is one of the minimum prerequisite for ADMT tool to be used for migration. You can create trust with downlevel OSes. Run
http://support.microsoft.com/kb/2021766?wa=wsignin1.0
Restructuring Active Directory Domains Between Forests http://awinish.wordpress.com/2011/02/09/restructuring-active-directory-domains-between-forests/
More on ADMT can be found here too.
http://awinish.wordpress.com/tag/admt/
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Sunday, November 18, 2012 4:11 PM
The domains are forests are both currently Server 2003 functional level. We don't have any NT 4.0 domain.
If you read again, you'll see that I stated my thinking was of the NT 4.0 master domain model; and, wanting to accomplish something similar to that... with forests in the picture (2003 domain/forests).
-
Sunday, November 18, 2012 7:12 PM
2 companies have merged. Each company has a single forest and single domain. I am thinking of creating a new separate forest and domain that would contain all of the employee user accounts... and then have the old domains that each company had prior to the merger be a resource domain... and each trust the new user domain. Is this possible?
From my point of view, it will be better to consolidate both domains in just one and then decommission the old ones.
You can do that by creating a new domain in a new forest (Of course, it should have different DNS and NetBIOS names). Once done, you can use ADMT to migrate your AD objects to the new AD environment: http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
The advantage of ADMT is that it can create identical AD objects (A new SID will be generated but you can migrate the SID history) and switch the users to the new domain. By using profile translation, you can keep the same Windows environment for users so that they will not notice changes. Once you switch them, you can migrate all the remaining services and decommission the old servers.
The domains are forests are both currently Server 2003 functional level. We don't have any NT 4.0 domain.
If you read again, you'll see that I stated my thinking was of the NT 4.0 master domain model; and, wanting to accomplish something similar to that... with forests in the picture (2003 domain/forests).
Forget NT4.0 now as the principles changed :)
See the ADMT guide and you will get all what you need. You can do the needed tests in a test environment before proceeding. Note also that the rollbackup is easy when you switch users / computers using ADMT.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Sunday, November 18, 2012 10:36 PM Agreed with Mx you need to use ADMT if you want to merge the company to one forest.If you want to migrate user,computers,etc from one domain to new domain using ADMT tool you need to create trust relationship between two domain.
You need to understand working of ADMT before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. I have below link which might help you to understand this. Start from reading ADMT guide first.
ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspxMIGRATING STUFF WITH ADMTV3
http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx
ADMT Series
http://blog.thesysadmins.co.uk/category/admt
Note:ADMT doesn’t have an Exchange/mailbox migration option.If you dont want to merge the domain you can create trust and access resources across the forest.
Checklist: Creating a forest trust
http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspxAccessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspxHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Monday, November 26, 2012 2:05 AM
-
Tuesday, November 20, 2012 5:56 AMModerator
Hi,
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Yan Li
TechNet Community Support
-
Tuesday, November 20, 2012 8:08 AMModerator
The domains are forests are both currently Server 2003 functional level. We don't have any NT 4.0 domain.
If you read again, you'll see that I stated my thinking was of the NT 4.0 master domain model; and, wanting to accomplish something similar to that... with forests in the picture (2003 domain/forests).
Regarding working of the trust, you can refer below articles.
How Domain and Forest Trusts Work http://technet.microsoft.com/en-us/library/cc773178%28WS.10%29.aspx#w2k3tr_trust_how_knfk
Domain and Forest Trust Tools and Settings http://technet.microsoft.com/en-us/library/cc756944%28WS.10%29.aspx
Trust Technologies http://technet.microsoft.com/en-us/library/cc759554%28WS.10%29.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Monday, November 26, 2012 2:05 AM
.png)
