locked
AD forest question: existing 2003 AD domain, move? into new 2k8R2 forest?

    Question

  • I have an existing AD domain (2003) and management is considering moving to a traditional forest with a root and everything. (2k8R2)

    other then building a new domain and moving the users into it what are some options?

    Tuesday, May 25, 2010 7:06 PM

Answers

  • Hi,

    If your management are happy with the existing AD.companyname.com, you're fine to proceed with setting up new sub domains eg. BusinessUnit1.AD.Companyname.com.  That would allow you to keep your existing user accounts etc and the existing domain is therefore the forest root domain.

    I'm not so sure about moving a domain... I'm not sure it is possible to create a new root and then move the existing domain to become a sub domain.  The less risky route would be to rename your existing domain... but as I mentioned before, it isn't really recommended... and especially as you've got exchange installed too.

    The approach with the least risk is to use your existing domain as the Forest route (which it already is) and setup new sub domains for your various business units. 

    Another option is ADMT (Active Directory Migration Tool).  You could setup a new forest route, and the various sub domain and migrate users across.  It can be downloaded here: http://www.microsoft.com/downloads/details.aspx?familyid=6f86937b-533a-466d-a8e8-aff85ad3d212&displaylang=en  I've not used the most recent edition of the tool but it did work well when I did some Windows NT4 domain migrations to Active Directory.  As always though, it's best to try it in a test setup if you have the opportunity rather than risking your live environment.  I'm also not sure what your options would be for your Exchange system.

    One last note on the "root domain with all the policies they want everyone to have"... just a note of caution here.  Seperating the business units in to sub domains has an impact on how far policies will flow.  Generally, a policy will only apply in a single domain and each domain can therefore have its own policies... such as password policy (although I am aware password policy has changed in 2K8).  The main thing that the entire Forest will share is a common schema. 

    In summary, if AD.companyname.com and therefore BusinessUnit1.AD.companyname.com is acceptable to your management, go with it.  It will carry the least risk.  If a new domain naming structure is essential, create a new Forest root domain and use ADMT to migrate users etc.  It is worth looking in to the implications on the Exchange side though.

    Hope this helps.

    Thanks

    Dan

     

    • Marked as answer by Nex6 Tuesday, May 25, 2010 9:50 PM
    Tuesday, May 25, 2010 9:18 PM

All replies

  • Hi,

    Assuming your existing AD Domain is the only current domain, it is, in effect, the Forest Root Domain.  The first question I guess is whether the existing Domain is suitably named?

    When you say 'root and everything', is your management considering introducing subdomains?

    If your existing domain is suitably named, you can simply add new sub domains to the forest.  For example, if your current domain is named company.local, and your management want to seperate out the locations, you can easily add location1.company.local...  location1.company.local... etc.  To introduce Windows server 2008 R2 Domain Controllers, you will just need to upgrade the schema using adprep32.exe from the Windows Server 2008 installation media (assuming your Windows Server 2003 boxes are 32bit). 

    However, if the naming is due to be considerably different to your existing domain, a new domain/forest may be required. 

    In summary, if your existing domain has a suitable name, it can stay as it is and you can introduce sub domains if there is a need.  Renaming an existing domain is possible, but not really recommended. 

    Hope this helps.

    Dan

     

    Tuesday, May 25, 2010 7:26 PM
  • the existing domain named: AD.companyname.com  kind of thing. (abstracted to protect the incocent)

    and, yea they are think subdomains, as the bisiness needs have changed and new units have there own budget etc. but they want a single forest. they dont want alot of domains with trusts.
    (which we have now and are cleaning up)

    the want one domain, was the driver for a long time. now, they think a single forest might be better and address's problems some biz units have.  the existing domain has all the users in it and is tied to exchange.

    could you move a domain? like create a new root, and add the domain to the new root some the users and computer accts are unfected? (dont think thats possible but hey)

    what they are thinking is have a root domain with all the policys they want everyone to have and then the subdomains, for each major unit. kind of thing.

     

     

     

    Tuesday, May 25, 2010 7:40 PM
  • Hi,

    If your management are happy with the existing AD.companyname.com, you're fine to proceed with setting up new sub domains eg. BusinessUnit1.AD.Companyname.com.  That would allow you to keep your existing user accounts etc and the existing domain is therefore the forest root domain.

    I'm not so sure about moving a domain... I'm not sure it is possible to create a new root and then move the existing domain to become a sub domain.  The less risky route would be to rename your existing domain... but as I mentioned before, it isn't really recommended... and especially as you've got exchange installed too.

    The approach with the least risk is to use your existing domain as the Forest route (which it already is) and setup new sub domains for your various business units. 

    Another option is ADMT (Active Directory Migration Tool).  You could setup a new forest route, and the various sub domain and migrate users across.  It can be downloaded here: http://www.microsoft.com/downloads/details.aspx?familyid=6f86937b-533a-466d-a8e8-aff85ad3d212&displaylang=en  I've not used the most recent edition of the tool but it did work well when I did some Windows NT4 domain migrations to Active Directory.  As always though, it's best to try it in a test setup if you have the opportunity rather than risking your live environment.  I'm also not sure what your options would be for your Exchange system.

    One last note on the "root domain with all the policies they want everyone to have"... just a note of caution here.  Seperating the business units in to sub domains has an impact on how far policies will flow.  Generally, a policy will only apply in a single domain and each domain can therefore have its own policies... such as password policy (although I am aware password policy has changed in 2K8).  The main thing that the entire Forest will share is a common schema. 

    In summary, if AD.companyname.com and therefore BusinessUnit1.AD.companyname.com is acceptable to your management, go with it.  It will carry the least risk.  If a new domain naming structure is essential, create a new Forest root domain and use ADMT to migrate users etc.  It is worth looking in to the implications on the Exchange side though.

    Hope this helps.

    Thanks

    Dan

     

    • Marked as answer by Nex6 Tuesday, May 25, 2010 9:50 PM
    Tuesday, May 25, 2010 9:18 PM
  • thanks, that clears things up and validates kinda what I was thinking.

     

    -Nex6

    Tuesday, May 25, 2010 9:50 PM
  • can you link, GPOs from root to sub domains? and can you ACL them so child domains domain admins cant mess with them? eg:  enterprise admins own root level GPOs and we link them down stream?

     

     

    Tuesday, May 25, 2010 10:05 PM
  • I believe you can link GPOs from one domain to a sub domain.  You can then control the administrative access to it through ACL.  However... GPO processing is likely to be slower when GPOs cross domain boundaries.  You'll need to use the Group Policy Management Console. 

    It is possible to migrate a GPO to another domain, but of course, you do then lose the control over the GPO and will have to maintain seperate copies of the GPO.

    http://technet.microsoft.com/de-de/library/cc785343(WS.10).aspx

    Thanks

    Dan

     

    Tuesday, May 25, 2010 10:28 PM
  • thanks that helps
    Wednesday, May 26, 2010 12:01 AM