?
Solved

Active Directory Merge 2 "root domains" into new/one forest

Posted on 2005-05-03
20
Medium Priority
?
5,666 Views
Last Modified: 2008-06-23
Steps and assistance required

Scenario

CompanyA buys CompanyB
CompanyA and CompanyB would like to intergrate their Active Directory structure into the same forest while keeping their original domains, no child domains but two "root domains" in a new forest.
They are both running Windows 2000 Server but are prepared to upgrade to 2003 if required

What steps are required?
What is the best way to achieve this keeping in mind that CompanyB is 2hours away so onsite support must be kept to a minimum.
Whats gotchas has anyone come across or things to be careful of during this merger
Time required to complete project where both companied have two DC's.
Links to knowledge base articles or step by step guides

Please can only people who have done this or have extensive experince in doing this reply.
I do not need to know how to use or implement trust relationships so don't bother telling me as that is not the question unless it is required to achieve my final goal.

Thanks

Colin
0
Comment
Question by:ColinRoyds
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 9

Expert Comment

by:joedoe58
ID: 13917682
Look on this article to see if it gives you the needed info: http://www.windowsitlibrary.com/Content/155/07/2.html?Ad=1&
0
 
LVL 20

Accepted Solution

by:
mkbean earned 2000 total points
ID: 13917811
Hi Colin,

First and foremost you will want to ensure that you have proper DNS name resolution throughout.  Do you plan on upgrading to Server 2003 before this migration?  If so I would HIGHLY recommend the use of Stub Zones in DNS since both of these domains will be in the same forest but be different tree roots.  Here is some info on Stub zones:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/648f2efd-0ad4-4788-80c8-75f8491f660e.mspx

As for the actual migration you will need to decide on which AD migration tool you will want to use.  Microsoft offers their free one which is ADMT.   ADMT works well but there are other products from other vendors but realize you will have to pay ($$$) for them.  In my experience with ADMT most everything has worked.  You will want to migrate all of your user accounts, groups, computers and also you will want to do a Security Translation.  This will allow you to maintain your old SIDs in conjunction with the new SID for your accounts.  This way you shouldn't have to reassign to many permissions to resources.  After migrating hundreds of computers with ADMT another gotcha is that the tool has problems changing restarting the machine after the migration.  I had about 1% actually reboot automatically.  The domain name changed but someone had to reboot the machine.

I can't give you a timeline since every company is different and I’m not sure how many resources you have nor the politics that will happen with your migration.  I can't stress enough how important it is to have a solid plan throughout your migration.  You should test out each phase and only consider moving on once everything has passed.  ADMT does have a test migration feature that is perfect for this.  This gives you the ability to test the migration before actually going through with it.

Below is a link to Microsoft's Upgrade center.  Some of the documentation talks about NT but the there is other documentation and tools there for you look at.  
http://www.microsoft.com/windowsserver2003/upgrading/nt4/upgradeassistance/default.mspx

How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2
http://support.microsoft.com/default.aspx?scid=kb;en-us;322970

I hope this is a good start for you.


Brian
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13918098
You do not have to run ADMT unless you want to migrate the users from the two domains into one. If you only are interested into merge them into the same forrest then you can follow the steps in the previous post
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 20

Expert Comment

by:mkbean
ID: 13918276
Are you working with two different companies with two different forests?  Do you want them to be in the same forest?  If so then you will need to migrate your accounts into one of the existing domains or a new one that you create from scratch.

Brian
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918322
Joedoe58 thanks for the link but that just takes me to definitions, I have been in IT for many years and am familiar with AD like the back of my hand, but I have never had to do this before type of migration/merger before, if you can point to me to a guide it wil be much appreciated.
Brian, thanks for your input, but I don't need to transfer any account / users / computers all I need to do is join the two domains together and not with trust relationships but under one forest which I know can be done. Thanks for the info on stubzones, I am aware of them but have always used secondaries in the past ,but did intend to use them this time round, I agree that everything needs to be done carefully and tested properly before continuing.

But unfortunately neither of your answer has actualy helped me decide on excaty how to create one new forest which combines both domains as roots.Thanks for your input so far anyway.
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13918426
If I understand you correctly you want to create a new forest i.e a new name and the move your two existing domains in under that name? If not as far as I understod from the article you only have to run dcpromo in one domain and choose join to an existing forest and you will be up and running.
0
 
LVL 20

Expert Comment

by:mkbean
ID: 13918503
ColinRoyds,

There is no way to merge two forests into one without a migration.  The forest is the security boundry which shares automatically created two-way transitive trusts, a common Schema and Global Catalog.  Because of that you cannot just merge them.  Many people have wanted to do just that but that solution does not exist.  If you run dcpromo on one of your existing domains it will remove AD and all the accounts with it.  That is why a migration is needed.

I'm with you...I really wish there was a way but I have been teaching AD since it's conception and you just can't merge two forest.  :-(

Here is another link that mentions it is not possible.
http://forums.techarena.in/archive/index.php/t-64475.html


Brian
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918558
perhaps this will help


Existing structure

                Forest Company A                                             Forest Company B
                          :                                                                      :
                  companyA.com                buys                            companyB.com

Would like :
                                                   
                                                    Forest CompanyAB
                                                    :                         :
                                       CompanyA.com       CompanyB.com


????????????????????????????????????????????????????????????????????????????????
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918594
Brian
Thanks for your input, problem is I know it can be done, as it was done at a previous client of mine by my IT director, the thing is I have left the company and we are now fighting for the same client so I can not ask him.
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918688
Joedoe58
Thanks I am aware of trusts and how to create them as mentioned in the question, but it still will not create one forest as required
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13918740
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918814
Joedoe58
Thats great for renaming,but it does not help, have you done anything like this before???????
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13918854
Chap's I am grateful for your input, but seriously if you have a look at my points you will see I am no idiot to IT and have a serious idea about Windows. If you have done this before or can offer a genuine solution then please carry on, if not thanks for your help but I will see what everyone else has to say. Please don't take this the wrong way I appreciate the suggestions but we don't seem to be any closer.

Thanks

Colin
0
 
LVL 20

Expert Comment

by:mkbean
ID: 13919215
ColinRoyds,

I don't think any of us think you are an idiot and hope that my comments did not make you feel that way.  However I would stress to you what you are trying to accomplish is indeed going to need a migration.  If you can call your IT Director and ask him/her what they did that would be great.  I will continue to search for some official documentation to help clarifiy this.

Brian
0
 
LVL 12

Author Comment

by:ColinRoyds
ID: 13919423
Hi Brian

know I never ment it like that and you didn't make me feel like an idiot I just feel that all the recommendations are not getting us anywhere although as I said before I appreciate the help, I wish I could call my ex IT Director, but when you in competition against each other that is no longer possible.
Perhaps I do need to create a new Domain of sorts and migrate to two existing into it, I am not certain but this is what I need to find out.
My point is it's great to say you need to migrate them , but how? That is why I am hoping to speak to someone who has already done this, I am certain that there must be at least a few as company merges are common place and someone else must have been in the same position as I am now.
0
 

Expert Comment

by:Dan-MV
ID: 21848887
Hello all,

I am attempting a very similar migration.  I am curious to know what the final disposition on this question was?

Thanks,
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question