Solved

(200 pts) Growing an AD tree the wrong way

Posted on 2001-08-17
5
152 Views
Last Modified: 2010-04-13
Hi experts,

this question arose in a training I recently attended, and nobody (including the trainer) could give a satisfactory answer. Any input welcome (but no stabbing in the dark please, this thing may be really important for someone some time).

Scenario: in a large company there have been some guys trying ot rush their Windows 2000 to be the first who have it, they made up their own DNS and created a domain named departement.mycompany.com. Unfortunately those people knew their job very well, the domain works excellent and they already implemented Internet access, group policies, and software management in their domain, which also contains a quite large number of users (close to 400) and approx. 10 servers and more than 300 client computers. So there isn't a simple way to shut them down any more.

Now the question is wether it is possible to create mycomany.com and put departement.mycompany.com underneath it to get things in the structure it should originally have had.

Currently mycompany.com does not exist yet, and departement.mycompany.com is in mixed mode, but could be switched to native mode if that was an advantage to clear the scenario.

I already tried to install the scenario on some machines here, and found that I cannot create mycompany.com if department.mycompany.com already exists, at least I cannot create the mycompany.com domain in the same forest. I can create the domain in a separate forest.

Now I am not experienced enough in AD to completely understand what change in behaviour a setup with more than one forest has. I also haven't yet worked with the various import/export/migration tools provided my Microsoft.

Questions:

* is there another way to append mycompany.com to the existing forest?
* can I join the two domains if they are in diferent forests by manually establishing trusts
* what disadvantages does a two forest scenario have compared to having one forest? Are there advantages as well?
* is there a way to create mycompany.com in a new forest and then move department.mycompany.com there with minimal loss of data (access rights, user passwords, and such), and is the move affected by wether one or both of the domains are set up to use mixed/native mode? In other words, given that having a single forest is declared a must what efforts will it take to move the department domain?

I do assume that more than one expert will contribute. To make splitting points easier for me I set this question at 50, and will increase points and/or post dummy questions as soon as I feel I got my infos.

WARNING. This question is intended to increase my knowledge about the AD. No stabbing in the dark please, and please give the infos in a form so I can not only understand what to do, but also why. No need to type books though. I have access to MS-KB, Technet, and the W2k Ressource Kit books, along with most of the MS Press literature and several MCP Training kits. So a pointer to a specific page or chapter will do nicely, unless you suggest I just "read the whole books x,y and z" :-).

Armin Linder
0
Comment
Question by:arminl
5 Comments
 
LVL 4

Author Comment

by:arminl
ID: 6397905
Found one answer: I can establish trusts with outside domains. Will establish this tomorrow. I am pretty curious wether I can use my global and universal groups in the other forest ...
0
 
LVL 10

Expert Comment

by:HDWILKINS
ID: 6399039
The answer is a trust relationship.  Both domains would trust each other and yes, they would have rights if assigned. Thats exactly what a Trust Relationship does.

I think you would want to think through the implementation of Exchange Mail and things like this however, if the second domain wasn't up yet, and a second domain wasn't needed, then I'd just go with the first domain throughout the network.

HW
0
 
LVL 5

Accepted Solution

by:
matt023 earned 100 total points
ID: 6403069
"Now the question is wether it is possible to create mycomany.com and put departement.mycompany.com underneath
it to get things in the structure it should originally have had."

>> No.  The first domain controller creates the root domain which defines the forest/tree.


"is there another way to append mycompany.com to the existing forest?"

>> no, unless you create another forest with the root domain called "mycompany.com" and create a trust at the root level between the 2 forest.

"* can I join the two domains if they are in diferent forests by manually establishing trusts"

>> yes

"* what disadvantages does a two forest scenario have compared to having one forest? Are there advantages
as well?"

>> higer administrative complexity.  security - when the 2 forests trust each other, all domains within both forests automatically create transitive trusts.  unwanted resource access can occur.  more complicated replication scheme.

"* is there a way to create mycompany.com in a new forest and then move department.mycompany.com there
with minimal loss of data (access rights, user passwords, and such), and is the move affected by wether
one or both of the domains are set up to use mixed/native mode? In other words, given that having a
single forest is declared a must what efforts will it take to move the department domain?"

>> yes, but you'll have to create the mycompany.com domain as the root domain, then re-create the department.mycompany.com and join it (do this in a separate subnet since there will be 2 department.mycompany.com domains).  You can then use ADMT (Active Directory Migration Tool) - download from MS - to move user and group accounts from one domain to another.  However, you'll have to test it since both domains will have the same name (department.mycompany.com).  This can cause DNS and logon problems if not carefully planned.
Mix/Native mode have nothing to do with Win2k domains.  Only used for downlevel servers.  


0
 
LVL 9

Expert Comment

by:gregcmcse
ID: 6404021
One additional note:  "pruning" and "grafting" active directory trees and forests (which is basically what you want to do here) was something Microsoft knew would be a problem in Windows 2000 and they decided that a 3rd party would probably come up with a solution -- so they decided not to worry about it.  To date, I'm not aware of anyone coming up with a solution.  This is why Microsoft makes it clear in the MOC (Microsoft Official Curriculum) that you REALLY need to plan your domain carefully.

Well, not everyone reads the MOC books or takes the classes.  Realizing this, Microsoft is putting this functionality into Whistler server (which I think Microsoft has officially named Windows .NET Server 2002 this month -- it's changed a few times).

That said, I haven't beta-tested Whistler Server -- so I can't comment on whether it's really there or whether it works in all situations.

0
 
LVL 4

Author Comment

by:arminl
ID: 6411315
Thanks for the input, experts.

I split my points as follows:

100 for matt for the most complete answer
50 hdwilkins and gregcmcse for their contributions (Please see dummy questions in this forum to pick up your points)

Armin Linder
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now