none
Migration with Read Only Domain Controller

    问题

  • HI All,

     Senario: Source Domain got multiple sites. and they want to migrate only 3 sites to Target Domain. Due to setting up trust they offer follwings but

    Can this easy, by doing this way? 

    1. Currently each location got DC for local users ( DNS,DHCP,WINS).

    2. Add one RODC with fulll FSMO roles and plug into one of the site.

    3. Point Local Site DC - DNS  to this new PDC 

    4- Cut the Network for Source keeping only 3 site connectivity.(VPN)

    5. Add the Target domain and migrate...

    6. They will provide exchange connectivity for users till we setup our exchange.

    Main thing is no down time for the business?

    AS

    2012年3月6日 0:44

答案

全部回复

  • No version of the Exchange supports RODC. You can't keep FSMO role on the RODC because FSMO role holder DC writes into AD. ROdc needs to contact RWDC because RODC alone can't work. RODC needs to cache machine password to create a secure channel with RODC else it will create secure channel with RWDC and the reason is RODC can't issue kerberos ticket.

    All About (RODC)Read Only Domain Controllers

    http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

    You can point

    You can't migrate RODC/DC you need to perform demotion and repromotion.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年3月6日 12:29
  • I am little confused with this question.  Are you migrating all these 3 sites resources into a new forest?

    If so, why can’t you perform a migration using a migration tool?


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    2012年3月6日 14:59
  • HI Santhosh,

     They are worried about creating the trust? They just try to offer a clean up Domiain controller with all the roles. then cut the connectivity?

    AS

     

    2012年3月6日 23:46
  • Again, I don’t believe your approach is going to work. 

    >>> 2. Add one RODC with fulll FSMO roles and plug into one of the site.

    Target RODC or Source?  And for what? J

    >>> 5. Add the Target domain and migrate...

    What is your plan to “migrate” these resources?


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    2012年3月7日 15:40
  • I agree with Santhosh here.
    Setting up a trust and migrate with ADMT would be much more easier – setting up a trust isn’t really a security risk more than users within the directories can browse each directory and perform cross-authentications. (trying to split a domain will leave each site with a database that contains all passwords for all users)
     
    If there is an absolute requirement that you can’t setup a trust I would looking to Quest and QMM as I believe they have a solution for migrating with out establishing a trust. 
     
     
    ----------------------------------------------------------
    Regards
    Christoffer Andersson – Principal Advisor
    Enfo Zipper

    "AUSSUPPORT" wrote in message news:f153ad38-a669-4c84-8f61-ff1eafe53b6d...

    HI Santhosh,

    They are worried about creating the trust? They just try to offer a clean up Domiain controller with all the roles. then cut the connectivity?

    AS

     


    Enfo Zipper Christoffer Andersson – Principal Advisor
    2012年3月7日 16:27
  • HI All,

      Please forget about RODC.. That is for testing...

      What they saying giving a DC with full FSMO roles and connect three site to communicate each other. Then split the domain and leave us to migrate.

    then we can use the ADMT to migrate to new domain. So they don't want to intract. ( Source and target got both admin access)

    AS 

     

    2012年3月8日 0:13
  • >>>>  What they saying giving a DC with full FSMO roles and connect three site to communicate each other. Then split the domain and leave us to migrate.

    then we can use the ADMT to migrate to new domain. So they don't want to intract. ( Source and target got both admin access)

    Yes. This approach would work. 


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    2012年3月8日 16:30
  • HI Santhosh,

      I will need the comunication till the migration complete to access the Intranet and sharepoint site in there. also Exchange mail. Socan we block only AD traffic ?

    IS this a good approach?

    AS


    2012年3月9日 23:31
  • You can’t connect the “isolated DC/Domain” back to the original production network. 

    >>>Socan we block only AD traffic ?

    No.

    Better to perform a migration with domain trust.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    2012年3月10日 18:18
  • Hi,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you areTechNet Subscriptionuser and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    2012年3月18日 15:11
    版主