none
Create New Domain Tree vs Create New Forest?

    Question

  • Hi,

    I have a scenario where our company has changed it's name, and we've been tasked to set up a new domain corresponding to this new name (this is largely for the purposes of management not seeing the name of the old company on anything they're logging into.  From an IT point of view, we're 'OK' with a part migration if it makes less work and/or simpler migration.  i.e. by part-migration I mean we would be comfortable leaving some elements/servers in the old domain, with trusts to the new domain.  

    My question is- with this considered, should we go for:

    1) a new root domain in the same forest; or 2) a new forest, new domain.  with a trust between new forest and old forest.

    what is more work? what is more complicated? 

    EXAMPLE NOTES:

      • domain1.local (already exists) functional level:  Server 2003.  Exchange 2003
      • newdomain.local (either new root domain in existing forest, or new domain in new forest) intended functional level: Server 2008 R2, Exchange 2010.  Intent is that all existing and future mailboxes will migrate to Exchange 2010 and Exchange 2003 will be retired.  
      • same network infrastructure will be used but we have allocated different subnets (which can be VLAN'ed off) for the new domain.

      this is a summation of our environment: we have approx 150 users (+mailboxes).  4 offices in geographically different locations (each office is an AD site, with a Domain Controller in each).  Current Exchange 2003 env. has the sole FE server and 1st BE server hosted in one site, with the 2nd BE Exchange server in another site. (two remaining sites have no Exchange servers)

      QUESTIONS:

      1. I was hoping someone could provide guidance as to which path we should take.  Are there any guides that someone can point me to?
      2. I'm aware that introducing a 2008 DC into a 2003 functional level environment, would mean I would first need to do a ADPREP /forestprep and /domain prep.  But would that be required in this scenario if I was introducing a new -and the first- domain controller to a new root domain in the same forest?  or will this introduction of the first DC create the correct AD 2008 Schema without the need to do an ADPREP?
      3. is using a different subnet and switch VLAN sufficient to separate the old and new domains, so that for e.g. devices in the new domain do not register to the DNS or DHCP server of the old domain?  ultimately though, we still want a level of domain trust so that users in the new domain can still access servers which will remain in the old domain (either remain permanently or during transition).

    any other pointers would be greatly appreciated.

    thanks!


    Monday, October 15, 2012 4:38 AM

Answers

  • Thank you both for your feedback.

    So the key consideration when using ADMT for either a New Root Domain Tree in same Forest or New Domain in new Forest, appears to be this:

    • Interforest Active Directory domain restructure -- when you migrate objects between forests both the source and target domain environments exist simultaneously. This makes it possible for you to roll back to the source environment during the migration, if necessary.
    • Intraforest Active Directory domain restructure -- when you restructure domains in a forest, the migrated accounts no longer exist in the source domain. Therefore, rollback of the migration can only occur when you carry out the migration process again in reverse order

    My questions are thus:  

    where it refers to " when you migrate objects between forests both the source and target domain environments exist simultaneously" - does this mean when you migrate an account to the new forest, the account still exist in duplicate in the old domain?  not sure i understand the definition. 

    Yes, that's correct. That's because an interforest migration "copies" user and group accounts. And after you migrate a batch of users or groups in this scenario, if you don't like them, you can trash them and do it over. However, migrating computer accounts is a one shot deal, that you would do after you make sure the user and groups migrated properly.

    .

    As far as trusts are concerned, is there any difference in the trust level between domains in different forests versus trust between domains in the same forest?  Again, I'm trying to ascertain which option will have the least impact in terms of work involved and ongoing support.  if both trusts offer the same net result in terms of permissions (as mentioned some servers/service may have to remain on the old domain), then I would agree with Mr X that with all things equal, a clean slate is a better approach.

    No difference, you can use either. Forest trusts are highly preferred and are DNS based. If you are connecting the two across a router, if you use NTLM trusts, you will need NetBIOS support. And I agree as well with Mr X - a clean slate is definitely the better choice.

    And if you're going to co-exist the two while the migration is going, which of course depends on if you can migrate everything over one weekend or not, then you will need to enable SIDHistory so the new users in the new domain can still access resources in the old domain, such as servers, printers, Echange mailboxes, etc. Here's more on the trust and SIDHistory:

    ADMT: Configure Trusts for SIDhistory
    http://setspn.blogspot.com/2010/05/admt-configure-trusts-for-sidhistory.html

    Here's a good flowchart of what needs to be done:
    http://www.sivarajan.com/admt.html

    .

    Am I correct in saying Interforest domain trusts are implicit and automatically created between domains when a new root tree domain is created in an existing forest ?(whereas Intraforest trusts are manually applied).  

    I don't understand the question.

    Note: "Intra"forest means within a forest, and "Inter"forest means between two separate forests.

    Therefore, do you mean you want to create a new Tree in the same forest? If so, than that would be a new tree within an existing forest, and with all trusts within a forest, they are automatically created with the creation of a new child domain or tree, and they are all automatic two-way, transitive trusts, as all trusts are within a forest.

    If you mean that you want to create a brand new domain in a brand new forest, then no, there are no trusts created automatically between different forests, as they are two completely, separate entities.

    In your scenario, I would highly suggest a new forest and migrate into it. Creating an additional tree in your existing forest will vastly complicate it for the long haul, and besides, the old name will always be there, because you can't dump the original forest root domain.

    .

    Regarding my networking question, is it sufficient to VLAN off a segment off the network and so long as the new domain/forest is setup on a new designated subnet range (but still on the same network and infrastructure) - will this provide the appropriate level of segregation between domains?

    I think that is the best scenario, because it will give you the opportunity for the new organization to have its own DHCP services, DNS servers, setting DHCP options to specific servers for it's own infrastructure. If they were on the same subnet, this will be much more difficult and complex to manage.

    .

    I appreciate your patience with what might appear as trivial/basic questions.  Unfortunately, although I do maintain the Exchange and AD environment (and a little of the networking), I have never done an AD migration or created a new domain.

    As for Exchange, that complicates it, too, however it's not as bad as some say. Yes, it's complex, don't get me wrong, but once you get the co-existence working, then it's smooth sailing. I suggest to post the Exchange migration questions to the Exchange forum for specific assistance:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/threads

    .

    Just a suggestion... I think you would be better off hiring a consulting company that has performed multiple migrations in the past. This way it takes the guesswork out of it on your part, and the transition will be smooth and efficient as possible. If you come up with roadblocks in the middle of it, or some complexity were to arise, the forums may not be the best due to the immediate assistance you may need and the availbility of someone in the forum responding on a timely basis.

    .

    thanks!

    P.S. Sandesh - regarding your sample suggestion, that is a dead link.  Would you be able to repost? 
    Sample User/Computer migration steps.
    http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html


    This is another 404 link, only because Jorge migrated his data to a new blog. 
    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    And I don't have a link to his new blog.

    .

    And good luck!

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:18 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Tuesday, October 16, 2012 3:31 AM
  • Since you comapany name is changed and same is not required by management you can create new domain in new forest and migrate the users/computer,etc to new domain and in this case ADMT is your friend.

    If you want to migrate user/computers from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand the working of ADMT before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. Start from reading ADMT guide first.

    ADMT Guide: Migrating and Restructuring Active Directory Domains
    http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    Refer below link for more details:

    http://portal.sivarajan.com/2010/12/active-directory-migration-tool-admt.html
    http://portal.sivarajan.com/2010/06/admt-32-migration-guide.html

    Sample User/Computer migration steps.
    http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html

    ADMT Series
    http://blog.thesysadmins.co.uk/category/adm

    ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.However for better assistance related to exchange refer exchange forum.
    http://social.technet.microsoft.com/Forums/en-us/category/exchangeserver
    http://social.technet.microsoft.com/Forums/en-us/category/exchange2010

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:19 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Monday, October 15, 2012 9:18 AM
  • I have a scenario where our company has changed it's name, and we've been tasked to set up a new domain corresponding to this new name (this is largely for the purposes of management not seeing the name of the old company on anything they're logging into.  From an IT point of view, we're 'OK' with a part migration if it makes less work and/or simpler migration.  i.e. by part-migration I mean we would be comfortable leaving some elements/servers in the old domain, with trusts to the new domain.

    Domain rename is an option too. However, note that

    http://technet.microsoft.com/en-us/library/cc738208%28v=ws.10%29.aspx

    Note that the domain rename operation is not supported in Microsoft Exchange Server 2007 or Exchange Server 2010. DNS domain rename is supported in Exchange Server 2003. However, renaming of the NetBIOS domain name is not supported in any version of Exchange Server.

    1) a new root domain in the same forest; or 2) a new forest, new domain.  with a trust between new forest and old forest.

    what is more work? what is more complicated?

    If you want to restart everything from scratch and clean basis, I would recommend creating a new domain in a new forest as the Schema, Configuration partitions will not be shared with the old forest.

    From the technical complexity, creating a new domain in a new forest may be more complex but not much more complex than a migration to a new domain in a new forest.

    For the AD migration, I would recommend using ADMT 3.2 and:

    • Migrate AD objects (Users and Groups) with their old SID so that access based on SID use to old resources will be kept
    • Do the needed translations so that permissions (...) can be updated properly

    Note that, during the migration phase, users may require access using their old accounts. That is why you may need to maintain old and new accounts during the migration phase (If you are doing an inter-forest AD migration as for intra-forest the migrated accounts no longer exist).

    For Exchange migration, refer to that: http://jaxelos.wordpress.com/2011/11/23/interforest-migration-with-admt-3-2-and-exchange-2010-interforest-migration-2/


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Tuesday, October 16, 2012 7:37 AM add info
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Monday, October 15, 2012 8:42 PM
  • Just an update - here's Jorge's new blog link:
    http://jorgequestforknowledge.wordpress.com/2006/12/27/migrating-stuff-with-admtv3/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 5:32 AM
  • Since, the management has already taken decision to go with new name, its wise to create new domain in a new forest, if you decide to use ADMT tool. If you create new domain in the existing forest then the migration with ADMT tool will perform move operation instead of copy & source object will be removed.

    If you interested in the 3rd party migration tool, then you can also evaluate Quest tool which provide rollback option in intra-forest migration. More on Quest & ADMT tool.

    http://awinish.wordpress.com/2010/12/24/intraforest-interforest-migration/

    http://awinish.wordpress.com/2011/10/04/quest-and-admt-comparison/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, October 16, 2012 8:07 AM
    Moderator
  • You are now asking Exchange migration questions in the DS forum. What I can tell you in a summary, is during migration, they are not a co-existence as you would co-exist 2003/2010 in one organization (forest). This will be two totally separate Exchange organizations. Just to be clear, an Exchange "organization" is unique to a forest. You can co-exist multiple organizations (forests, just to be clear), but there's quite a bit of work to do to make it happen. One such thing, is you would need to export the GAL from one, and import it into the other as Contacts, and vice versa, and then create a connector between the two, and create forwarders for mailboxes from the one to the other, and vice versa. One of them needs the MX record point to them for your public domain. I'm going to stop there, and please follow my suggestions to post how to make this work in the Exchange forum. Here's the link again:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/threads

    .

    As for a complete step by step, I think Jorge's blog, that I posted his updated link, is pretty good.

    You honestly need to get a consultant on board to handle this project. Its scope is multi-faceted, and it's best that you get someone that has done this before, which can probably do this in their sleep.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 11:10 PM

All replies

  • Since you comapany name is changed and same is not required by management you can create new domain in new forest and migrate the users/computer,etc to new domain and in this case ADMT is your friend.

    If you want to migrate user/computers from one domain to new domain using ADMT tool you need to create trust relationship between two domain.You need to understand the working of ADMT before you actually taken on migration production env.Also, its much better if you can simulate in a lab environment for successful result. Start from reading ADMT guide first.

    ADMT Guide: Migrating and Restructuring Active Directory Domains
    http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx

    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    Refer below link for more details:

    http://portal.sivarajan.com/2010/12/active-directory-migration-tool-admt.html
    http://portal.sivarajan.com/2010/06/admt-32-migration-guide.html

    Sample User/Computer migration steps.
    http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html

    ADMT Series
    http://blog.thesysadmins.co.uk/category/adm

    ADMT doesn’t have an Exchange/mailbox migration option.  If you are not planning to use a third party migration tool like Quest or NetIQ, your only option is to export the mailbox (exmerge) and import them.  But you will have some mail routing challenges here – like non-migrated users sending emails to migrated users and vice versa.However for better assistance related to exchange refer exchange forum.
    http://social.technet.microsoft.com/Forums/en-us/category/exchangeserver
    http://social.technet.microsoft.com/Forums/en-us/category/exchange2010

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:19 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Monday, October 15, 2012 9:18 AM
  • I have a scenario where our company has changed it's name, and we've been tasked to set up a new domain corresponding to this new name (this is largely for the purposes of management not seeing the name of the old company on anything they're logging into.  From an IT point of view, we're 'OK' with a part migration if it makes less work and/or simpler migration.  i.e. by part-migration I mean we would be comfortable leaving some elements/servers in the old domain, with trusts to the new domain.

    Domain rename is an option too. However, note that

    http://technet.microsoft.com/en-us/library/cc738208%28v=ws.10%29.aspx

    Note that the domain rename operation is not supported in Microsoft Exchange Server 2007 or Exchange Server 2010. DNS domain rename is supported in Exchange Server 2003. However, renaming of the NetBIOS domain name is not supported in any version of Exchange Server.

    1) a new root domain in the same forest; or 2) a new forest, new domain.  with a trust between new forest and old forest.

    what is more work? what is more complicated?

    If you want to restart everything from scratch and clean basis, I would recommend creating a new domain in a new forest as the Schema, Configuration partitions will not be shared with the old forest.

    From the technical complexity, creating a new domain in a new forest may be more complex but not much more complex than a migration to a new domain in a new forest.

    For the AD migration, I would recommend using ADMT 3.2 and:

    • Migrate AD objects (Users and Groups) with their old SID so that access based on SID use to old resources will be kept
    • Do the needed translations so that permissions (...) can be updated properly

    Note that, during the migration phase, users may require access using their old accounts. That is why you may need to maintain old and new accounts during the migration phase (If you are doing an inter-forest AD migration as for intra-forest the migrated accounts no longer exist).

    For Exchange migration, refer to that: http://jaxelos.wordpress.com/2011/11/23/interforest-migration-with-admt-3-2-and-exchange-2010-interforest-migration-2/


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Tuesday, October 16, 2012 7:37 AM add info
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Monday, October 15, 2012 8:42 PM
  • Thank you both for your feedback.

    So the key consideration when using ADMT for either a New Root Domain Tree in same Forest or New Domain in new Forest, appears to be this:

    • Interforest Active Directory domain restructure -- when you migrate objects between forests both the source and target domain environments exist simultaneously. This makes it possible for you to roll back to the source environment during the migration, if necessary.
    • Intraforest Active Directory domain restructure -- when you restructure domains in a forest, the migrated accounts no longer exist in the source domain. Therefore, rollback of the migration can only occur when you carry out the migration process again in reverse order

    My questions are thus:  

    where it refers to " when you migrate objects between forests both the source and target domain environments exist simultaneously" - does this mean when you migrate an account to the new forest, the account still exist in duplicate in the old domain?  not sure i understand the definition. 

    As far as trusts are concerned, is there any difference in the trust level between domains in different forests versus trust between domains in the same forest?  Again, I'm trying to ascertain which option will have the least impact in terms of work involved and ongoing support.  if both trusts offer the same net result in terms of permissions (as mentioned some servers/service may have to remain on the old domain), then I would agree with Mr X that with all things equal, a clean slate is a better approach.

    Am I correct in saying Interforest domain trusts are implicit and automatically created between domains when a new root tree domain is created in an existing forest ?(whereas Intraforest trusts are manually applied).  

    Regarding my networking question, is it sufficient to VLAN off a segment off the network and so long as the new domain/forest is setup on a new designated subnet range (but still on the same network and infrastructure) - will this provide the appropriate level of segregation between domains?

    I appreciate your patience with what might appear as trivial/basic questions.  Unfortunately, although I do maintain the Exchange and AD environment (and a little of the networking), I have never done an AD migration or created a new domain.

    thanks!

    P.S. Sandesh - regarding your sample suggestion, that is a dead link.  Would you be able to repost? 
    Sample User/Computer migration steps.
    http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html


    • Edited by dallandra123 Tuesday, October 16, 2012 12:52 AM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:19 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:19 PM
    Tuesday, October 16, 2012 12:45 AM
  • Thank you both for your feedback.

    So the key consideration when using ADMT for either a New Root Domain Tree in same Forest or New Domain in new Forest, appears to be this:

    • Interforest Active Directory domain restructure -- when you migrate objects between forests both the source and target domain environments exist simultaneously. This makes it possible for you to roll back to the source environment during the migration, if necessary.
    • Intraforest Active Directory domain restructure -- when you restructure domains in a forest, the migrated accounts no longer exist in the source domain. Therefore, rollback of the migration can only occur when you carry out the migration process again in reverse order

    My questions are thus:  

    where it refers to " when you migrate objects between forests both the source and target domain environments exist simultaneously" - does this mean when you migrate an account to the new forest, the account still exist in duplicate in the old domain?  not sure i understand the definition. 

    Yes, that's correct. That's because an interforest migration "copies" user and group accounts. And after you migrate a batch of users or groups in this scenario, if you don't like them, you can trash them and do it over. However, migrating computer accounts is a one shot deal, that you would do after you make sure the user and groups migrated properly.

    .

    As far as trusts are concerned, is there any difference in the trust level between domains in different forests versus trust between domains in the same forest?  Again, I'm trying to ascertain which option will have the least impact in terms of work involved and ongoing support.  if both trusts offer the same net result in terms of permissions (as mentioned some servers/service may have to remain on the old domain), then I would agree with Mr X that with all things equal, a clean slate is a better approach.

    No difference, you can use either. Forest trusts are highly preferred and are DNS based. If you are connecting the two across a router, if you use NTLM trusts, you will need NetBIOS support. And I agree as well with Mr X - a clean slate is definitely the better choice.

    And if you're going to co-exist the two while the migration is going, which of course depends on if you can migrate everything over one weekend or not, then you will need to enable SIDHistory so the new users in the new domain can still access resources in the old domain, such as servers, printers, Echange mailboxes, etc. Here's more on the trust and SIDHistory:

    ADMT: Configure Trusts for SIDhistory
    http://setspn.blogspot.com/2010/05/admt-configure-trusts-for-sidhistory.html

    Here's a good flowchart of what needs to be done:
    http://www.sivarajan.com/admt.html

    .

    Am I correct in saying Interforest domain trusts are implicit and automatically created between domains when a new root tree domain is created in an existing forest ?(whereas Intraforest trusts are manually applied).  

    I don't understand the question.

    Note: "Intra"forest means within a forest, and "Inter"forest means between two separate forests.

    Therefore, do you mean you want to create a new Tree in the same forest? If so, than that would be a new tree within an existing forest, and with all trusts within a forest, they are automatically created with the creation of a new child domain or tree, and they are all automatic two-way, transitive trusts, as all trusts are within a forest.

    If you mean that you want to create a brand new domain in a brand new forest, then no, there are no trusts created automatically between different forests, as they are two completely, separate entities.

    In your scenario, I would highly suggest a new forest and migrate into it. Creating an additional tree in your existing forest will vastly complicate it for the long haul, and besides, the old name will always be there, because you can't dump the original forest root domain.

    .

    Regarding my networking question, is it sufficient to VLAN off a segment off the network and so long as the new domain/forest is setup on a new designated subnet range (but still on the same network and infrastructure) - will this provide the appropriate level of segregation between domains?

    I think that is the best scenario, because it will give you the opportunity for the new organization to have its own DHCP services, DNS servers, setting DHCP options to specific servers for it's own infrastructure. If they were on the same subnet, this will be much more difficult and complex to manage.

    .

    I appreciate your patience with what might appear as trivial/basic questions.  Unfortunately, although I do maintain the Exchange and AD environment (and a little of the networking), I have never done an AD migration or created a new domain.

    As for Exchange, that complicates it, too, however it's not as bad as some say. Yes, it's complex, don't get me wrong, but once you get the co-existence working, then it's smooth sailing. I suggest to post the Exchange migration questions to the Exchange forum for specific assistance:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/threads

    .

    Just a suggestion... I think you would be better off hiring a consulting company that has performed multiple migrations in the past. This way it takes the guesswork out of it on your part, and the transition will be smooth and efficient as possible. If you come up with roadblocks in the middle of it, or some complexity were to arise, the forums may not be the best due to the immediate assistance you may need and the availbility of someone in the forum responding on a timely basis.

    .

    thanks!

    P.S. Sandesh - regarding your sample suggestion, that is a dead link.  Would you be able to repost? 
    Sample User/Computer migration steps.
    http://www.arconi.com/solutions-articles/solutions/120-admtmigrationsteps.html


    This is another 404 link, only because Jorge migrated his data to a new blog. 
    MIGRATING STUFF WITH ADMTV3
    http://blogs.dirteam.com/blogs/jorge/archive/2006/12/27/Migrating-stuff-with-ADMTv3.aspx

    And I don't have a link to his new blog.

    .

    And good luck!

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:18 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Unmarked as answer by dallandra123 Tuesday, October 16, 2012 11:20 PM
    • Marked as answer by dallandra123 Tuesday, October 16, 2012 11:21 PM
    Tuesday, October 16, 2012 3:31 AM
  • Just an update - here's Jorge's new blog link:
    http://jorgequestforknowledge.wordpress.com/2006/12/27/migrating-stuff-with-admtv3/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 5:32 AM
  • Since, the management has already taken decision to go with new name, its wise to create new domain in a new forest, if you decide to use ADMT tool. If you create new domain in the existing forest then the migration with ADMT tool will perform move operation instead of copy & source object will be removed.

    If you interested in the 3rd party migration tool, then you can also evaluate Quest tool which provide rollback option in intra-forest migration. More on Quest & ADMT tool.

    http://awinish.wordpress.com/2010/12/24/intraforest-interforest-migration/

    http://awinish.wordpress.com/2011/10/04/quest-and-admt-comparison/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, October 16, 2012 8:07 AM
    Moderator
  • Thanks Ace.  The flow chart is particularly good for me to get things into perspective.  So based on all your feedback, I will approach this as a Inter forest-migrations.  

    Is there a step-by-step guide for this entire migration process?  conceptually I understand the elements (the flow chart helps and i can research the elements individually), but given I don't have anyone else in our team with the expertise to bounce ideas off (and cross-check), I would very much welcome a complete step-wise guide. ??

    And I agree Re the Consultant suggestion - yes, if I had a lab environment, I could possibly go it alone and test and garner advice from guides/forums/etc. but given that I dont and this has to be done in production, as you say, forums are likely to be too slow a resouce for answers during a migration weekend when things go pear-shaped.  


    One last question - on Exchange:  again, our scenario is to move all users off exchange 2003 (current domain), to a new Exchange 2010 environment (new domain).  

    I understand that co-exiting both Exch2003 and Exch2010 in the same domain can be readily done (so long as certain prerequisites are met e.g. AD forest functionality mode needs to be min. WinServ2003, AD schema needs min WinServ2003 SP2 etc.) 

    Does this 'co-existance' apply in my scenario when a trust is built between the two forests - can a co-existance scenario take place across two forests with trusts built?  Or is it, because Exchange 2010 is in another domain in another forest, then both exchange environments are treated separately.  Hence, I can create the Exch2010 env. totally independently to the old domain and treat it as a new installation in a new environment (obviously pointing all external DNS MX a records to the new Exchange servers)?

    Further, If that is the case, when I then migrate the AD users over using ADMT, how do they integrate with the new Exchange environment?  are they considered as users with no mailboxes assigned?  if so, would i simply then just mail-enable then, then import the exmerges from their Exch2003 mailboxes?

    thanks again All!

    Tuesday, October 16, 2012 10:52 PM
  • You are now asking Exchange migration questions in the DS forum. What I can tell you in a summary, is during migration, they are not a co-existence as you would co-exist 2003/2010 in one organization (forest). This will be two totally separate Exchange organizations. Just to be clear, an Exchange "organization" is unique to a forest. You can co-exist multiple organizations (forests, just to be clear), but there's quite a bit of work to do to make it happen. One such thing, is you would need to export the GAL from one, and import it into the other as Contacts, and vice versa, and then create a connector between the two, and create forwarders for mailboxes from the one to the other, and vice versa. One of them needs the MX record point to them for your public domain. I'm going to stop there, and please follow my suggestions to post how to make this work in the Exchange forum. Here's the link again:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/threads

    .

    As for a complete step by step, I think Jorge's blog, that I posted his updated link, is pretty good.

    You honestly need to get a consultant on board to handle this project. Its scope is multi-faceted, and it's best that you get someone that has done this before, which can probably do this in their sleep.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 11:10 PM
  • Much appreciated Ace.

    yes you're right.  I'll continue to research for my own understanding, but will get expert help to get this job done.

    Thank you all for your help!  before this thread, my understanding was 0.5/10.  At least now, it's more like 2-3/10 

    :)

    Tuesday, October 16, 2012 11:16 PM
  • Much appreciated Ace.

    yes you're right.  I'll continue to research for my own understanding, but will get expert help to get this job done.

    Thank you all for your help!  before this thread, my understanding was 0.5/10.  At least now, it's more like 2-3/10 

    :)


    You're getting closer! :-) When you reach 7 or better out of 10, then you're ready, and the rest will fall in place.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, October 16, 2012 11:21 PM