Question

Microsoft, Active Directory, 2003, Single Domain Migration

Asked by: RobertoYzaguirre

Hello! I am a Windows 2003 Active Directory administratorfor Department A. There are two other Active Directory forests on , B and C. I have been asked to work with administrators from departments B & C to perform the migrations and technical adjustments needed to create a single forest for the whole organization. Detailed information about the AD environment are as follows:

Forest A has four domains and 500 users. The computer and user objects for this forest are in one domain. Two of the remaining three domains have been given to smaller workgroups and are managed by local administrators. These workgroup domains do not have special security needs and use default, unmodified domain Group Policy Objects (GPOs). In the remaining domain one of the Domain Controllers (DC) which holds the Operations Master role needs to be decommissioned. Is this forest unnecessarily complex? What do I need to consider before decommissioning a DC? Moving FSMO roles to other DCs? My log on scripts should be in the SysVol of the other DC correct?

Forest B is a single domain forest with 10,000 users with computer and user objects in separate Organizational Units (OU). Department B provides centralized services to ten workgroups. Each workgroup has their own OU and administrators have been given full control to manage their respective OUs. Department B currently provides Microsoft Office Sharepoint Services (MOSS) for their forest. It is important to note that as part of the integration project, you have been asked to provide MOSS for the entire campus.  When I consolidate, how do I handle a complex application?

Forest C is a single domain forest with 250 users in a small township 50 miles away.  It is connected to campus with a slow link (e.g. fractional T1).  The computer and user objects are in separate Organizational Units. Department C provides centralized services to five workgroups, each with their own OU under Dept. Cs single domain forest. Administrators have been given full control to manage their respective OUs.  Slow links create an additional challenge to any project like this.  How do I manage it? Would this be best with a site?

I know this is a lot; I'm just trying to get an overview of how to proceed e.g. using log on scripts.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-08-22 at 23:40:15ID22781518
Tags

domain

,

migration

,

2003

,

directory

,

active

Topics

Active Directory

,

MS SharePoint

,

Windows 2003 Server

Participating Experts
2
Points
500
Comments
2

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Sharepoint challenges user for credentials
    My company has an internal website using Sharepoint. Windows Integrated Authentication is set and 99.99% of the time this is not an issue. Occasionally, a user will be challenged, for their username/password, when opening the site. If they enter username/password they will ...
  2. migrate domain groups in sharepoint
    We recently migrated our sharepoint site from one domain to another using the "backup" and "restore" commands. We then used powershell and scripted all the usernames to change domains using the user migration command. (i could have used cmd line, powershe...
  3. Sharepoint Migration MOSS 2007
    I need to migrate a single server farm to a different forest. Is this possible and if so could someone point me towards some directions?
  4. MOSS (sharepoint) migration
    I recently migrated all of my users to a new domain and migrated to Exchange 2007 from Exchange 2003. The users were migrated with ADMTv3.1 w/SID history and same SID. I have a MOSS setup on the old domain that was integrated with the old Exchange. I want to keep the MOSS'...
  5. Sharepoint Migration MOSS > WSS
    I have a Sharepoint server running MOSS 2k7 (trial). Originally the server was running WSS3, we upgraded to MOSS 2k7 and built a site. The server running MOSS 2k7 has two DB's on it - the Windows Internal (from the original WSS installation) and SQL Express Edition (from Sh...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: vsg375Posted on 2007-08-23 at 02:06:35ID: 19752471

Hi,

That's probably not the answer you're looking for, but just suggesting anyway...

If all of the forests are in full 2003 mode, i.e 2003 @ forest functional level, why not use cross-forest trusts ? That would preserve the present architecture, and however allow centralized admin if needed.

Just my 2 cents...

Cheers

 

by: LauraEHunterMVPPosted on 2007-08-23 at 05:53:08ID: 19753783

A few thoughts in no particular order:

* "Is this forest unnecessarily complex?"

For my money, a single-domain forest will work for 90-95% of organizations out there.  The only reason to set up a multiple domains within a single forest is if you have a subset of users who require a different password or account lockout policy, as at the moment these 2 things can only be set at the domain level. (However, that statement becomes untrue once Windows Server 2008 ships, as 2008 allows for multiple password policies within a single domain.)  The thing to keep in mind is that it is the forest, not the domain, that provides a true security boundary within Active Directory - if you're creating a separate domain within a forest thinking that this will prevent the administrators of that domain from "messing with" the rest of the directory, what you actually need is a separate forest.  (Because of the transitive nature of trust relationships within a forest, it is trivial for a Domain Admin in a child domain to elevate their privileges to Enterprise Admin.)  If you have multiple sites separated by slow links, you can use sites and site links within AD to control the flow of replication traffic, even within a single domain, so as not to over-burden your WAN links.

* "What do I need to consider before decommissioning a DC?"

To decommission one DC in favour of new hardware:

[1] Perform a clean install of the server OS on the new hardware. Assuming this server provides your DNS/WINS name resolution, install these services onto the new server. If this server provides DHCP, install this service.
[2] If you are introducing a DC with a new OS, run adprep /forestprep and adprep /domainprep from the 2003 media.  (If this is R2, use the version of adprep that's on Disc 2 of the R2 media.) Run dcpromo to add the new server as an additional DC in an existing domain.
[3] Configure the new DC as a Global Catalog.
[4] Transfer all 5 FSMO roles to the new DC: http://support.microsoft.com/kb/324801
[5] Configure the new DC with an authoritative time server: http://support.microsoft.com/kb/816042
[6] Configure your network clients to point to the IP address of the new DC for DNS/WINS, if applicable from #1.
[7] Transfer your DHCP scope(s), leases and reservations from the old DC to the new: http://support.microsoft.com/kb/325473. De-activate the scope(s) on the old DC and confirm continued client connectivity.
[8] Once you're ready to decommission the original hardware, either:
  * run dcpromo on the old server to remove Active Directory from the server (this is the preferred option if possible), or
  * power down the server and perform a metadata cleanup of the old DC from the new DC: http://support.microsoft.com/kb/216498

My other recommendation, based on the size of the deployment you're discussing, would be to investigate some of the third-party migration tools like the one offered by Quest.  Microsoft has the AD Migration Tool (ADMT) that's a free download from their website, but when you're working in large numbers the third-party tools can do some nicer things with reporting and making the process more seamless to your user population.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...