Mrstrike
asked on
Infrastructure migration to a new Domain. Joining TS and SQL
I need some expert help with some Infrastructure migration.
I have a client that refuses to spend money on there Network. They have a Break/Fix mind set. The only time they spend money on there network is when it breaks and production stops. That mind set has led to a Patch work style network held together with gum, and super glue. 
Well something has broken, and now they need to fix it. I want to use this opportunity to improve there Network Infrastructure as much as possible.
Here is what they currently have.
DOMAIN 1
BlaBlacompany.local
• Win03 server. Function: Exchange03, File Server, Domain Controller, FSMO holder. This is the only server in this domain.
DOMAIN2
Company.local
• Win2K server. Function: Terminal server, Domain Controller
• Win2K server. Function: Domain controller, FSMO holder, This is where a Trust Relationship is setup In-between the 2 domains.
• Win03 server. Function: Member server running SQL only. All the workstations (and terminal server) have a MAS500 client software installed.
GOALS
I want to get all the servers on to one Domain and dissolve the other domain. All of the workstations are joined to DOMAIN1. They have there computers and desktops setup how they want it.
SENARO
The Terminal server is broken and needs to be rebuilt from scratch. The SAGE (MAS500) software people have convinced my client that it’s not there software that is broken, and that the Terminal server needs to be rebuilt. I don’t fully agree with this, but the decision has been made and Ill use this opportunity to upgrade them to Win03 with the proper TS CAL’s.
MIGRATION PLAN
Please critique my migration plan.
• On DOMAIN2 win2K Terminal Server: make this the FSMO holder. Setup a trust relationship in-between the 2 domains from here.
• Take the second Win2K server offline, format, install Win03, Join to DOMAIN1, configure as a New Terminal Server.
• Join SQL to the other domain
• Point the Firewall to the New Win03 Terminal Server.
• At this point The old Win2K terminal server will be the only server in DOMAIN2. Run DCpromo and dissolve this domain completely.
QUESTION
I know nothing about SQL. What risks are there in joining the SQL server to another domain? It will change the name of the server ( from sql.company.local to sql.BlaBlacompany.local) what impact will that have. Will that affect the MAS500 clients?
I know this may have been long but I wanted to be through.
Thank you for any help you can offer.
Chad
I have a client that refuses to spend money on there Network. They have a Break/Fix mind set. The only time they spend money on there network is when it breaks and production stops. That mind set has led to a Patch work style network held together with gum, and super glue. 
Well something has broken, and now they need to fix it. I want to use this opportunity to improve there Network Infrastructure as much as possible.
Here is what they currently have.
DOMAIN 1
BlaBlacompany.local
• Win03 server. Function: Exchange03, File Server, Domain Controller, FSMO holder. This is the only server in this domain.
DOMAIN2
Company.local
• Win2K server. Function: Terminal server, Domain Controller
• Win2K server. Function: Domain controller, FSMO holder, This is where a Trust Relationship is setup In-between the 2 domains.
• Win03 server. Function: Member server running SQL only. All the workstations (and terminal server) have a MAS500 client software installed.
GOALS
I want to get all the servers on to one Domain and dissolve the other domain. All of the workstations are joined to DOMAIN1. They have there computers and desktops setup how they want it.
SENARO
The Terminal server is broken and needs to be rebuilt from scratch. The SAGE (MAS500) software people have convinced my client that it’s not there software that is broken, and that the Terminal server needs to be rebuilt. I don’t fully agree with this, but the decision has been made and Ill use this opportunity to upgrade them to Win03 with the proper TS CAL’s.
MIGRATION PLAN
Please critique my migration plan.
• On DOMAIN2 win2K Terminal Server: make this the FSMO holder. Setup a trust relationship in-between the 2 domains from here.
• Take the second Win2K server offline, format, install Win03, Join to DOMAIN1, configure as a New Terminal Server.
• Join SQL to the other domain
• Point the Firewall to the New Win03 Terminal Server.
• At this point The old Win2K terminal server will be the only server in DOMAIN2. Run DCpromo and dissolve this domain completely.
QUESTION
I know nothing about SQL. What risks are there in joining the SQL server to another domain? It will change the name of the server ( from sql.company.local to sql.BlaBlacompany.local) what impact will that have. Will that affect the MAS500 clients?
I know this may have been long but I wanted to be through.
Thank you for any help you can offer.
Chad
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Chad,
Following question perfectly fits your issue and explains what i meant by using ADMT. You don't have to rejoin the clients :).
Objective: Managing and Maintaining an Active Directory Infrastructure
SubObjective : Manage an Active Directory Forest and Domain Structure
Single Answer Multiple Choice
You are the network administrator for Cliner Gattam International (CGI). The company's logical network design consists of a single Active Directory domain named cgi.com. CGI has five offices. An Active Directory site is created for each location. All servers run Windows Server 2003, and all client computers run Windows XP Professional.
CGI has recently merged with Smithfield Manufacturing (SFM). The company's logical network design consists of a single Active Directory domain named sfmanu.com.
SFM has 1000 employees at one manufacturing plant. These employees must have user accounts in cgi.com and be able to authenticate and access resources on the cgi.com network. You will be deploying cgi.com domain controllers at the SFM site. All client computers in this location will join the domain. The site administrator provides you with a comma-delimited file containing user object information from sfmanu.com. You plan to import this data to Active Directory using the csvde utility.
SFM users must maintain their existing e-mail identities (user@sfmanu.com). However, you have been instructed maintain a single Active Directory domain. You must be able to import this data while allowing the new users to maintain their existing e-mail identities.
What should you do?
A. Create a one-way forest trust using Netdom in which cgi.com trusts sfmanu.com.
B. Create a one-way forest trust using Netdom in which sfmanu.com trusts cgi.com.
C. Create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
D. Migrate the user accounts from sfmanu.com to cgi.com using the Active Directory Migration Tool (ADMT).
Answer:
C. Create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
Tutorial:
You should create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
To import the text file from sfmanu.com, you must use Active Directory Domains and Trusts to create a UPN suffix named sfmanu.com. The comma-delimited text file will be exported from sfmanu.com using the user principal name as user@sfmanu.com. Creating a matching UPN suffix will allow the text file to be imported using the csvde utility. This action will meet the requirement to allow users to retain their Smithfield Manufacturing identities.
The user principal name (UPN) suffix is the part of the UPN to the right of the @ character. By default, the UPN suffix for a user account is the DNS domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is applicable within the Active Directory forest, but is not required to be a valid DNS domain name.
You should not create a one-way forest trust relationship in either direction. Because the migration is being performed by importing from a text file, a trust relationship is not necessary. Trust relationships are required when you are migrating objects from one forest to another using a migration tool, such as ClonePrincipal.
You should not migrate the user accounts from sfmanu.com to cgi.com using the Active Directory Migration Tool (ADMT). The Active Directory Migration Tool (ADMT) is used to perform intraforest or interforest object migrations. However, ADMT cannot be used to import objects from comma-delimited files.
Reference:
1. Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure - Module 4: Implementing User, Group, and Computer Accounts
- Lesson: Implementing User Principal Name Suffixes - All
2. Windows Server 2003 Help - Search
- To add user principal name suffixes
Following question perfectly fits your issue and explains what i meant by using ADMT. You don't have to rejoin the clients :).
Objective: Managing and Maintaining an Active Directory Infrastructure
SubObjective : Manage an Active Directory Forest and Domain Structure
Single Answer Multiple Choice
You are the network administrator for Cliner Gattam International (CGI). The company's logical network design consists of a single Active Directory domain named cgi.com. CGI has five offices. An Active Directory site is created for each location. All servers run Windows Server 2003, and all client computers run Windows XP Professional.
CGI has recently merged with Smithfield Manufacturing (SFM). The company's logical network design consists of a single Active Directory domain named sfmanu.com.
SFM has 1000 employees at one manufacturing plant. These employees must have user accounts in cgi.com and be able to authenticate and access resources on the cgi.com network. You will be deploying cgi.com domain controllers at the SFM site. All client computers in this location will join the domain. The site administrator provides you with a comma-delimited file containing user object information from sfmanu.com. You plan to import this data to Active Directory using the csvde utility.
SFM users must maintain their existing e-mail identities (user@sfmanu.com). However, you have been instructed maintain a single Active Directory domain. You must be able to import this data while allowing the new users to maintain their existing e-mail identities.
What should you do?
A. Create a one-way forest trust using Netdom in which cgi.com trusts sfmanu.com.
B. Create a one-way forest trust using Netdom in which sfmanu.com trusts cgi.com.
C. Create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
D. Migrate the user accounts from sfmanu.com to cgi.com using the Active Directory Migration Tool (ADMT).
Answer:
C. Create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
Tutorial:
You should create a UPN suffix named sfmanu.com using Active Directory Domains and Trusts.
To import the text file from sfmanu.com, you must use Active Directory Domains and Trusts to create a UPN suffix named sfmanu.com. The comma-delimited text file will be exported from sfmanu.com using the user principal name as user@sfmanu.com. Creating a matching UPN suffix will allow the text file to be imported using the csvde utility. This action will meet the requirement to allow users to retain their Smithfield Manufacturing identities.
The user principal name (UPN) suffix is the part of the UPN to the right of the @ character. By default, the UPN suffix for a user account is the DNS domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is applicable within the Active Directory forest, but is not required to be a valid DNS domain name.
You should not create a one-way forest trust relationship in either direction. Because the migration is being performed by importing from a text file, a trust relationship is not necessary. Trust relationships are required when you are migrating objects from one forest to another using a migration tool, such as ClonePrincipal.
You should not migrate the user accounts from sfmanu.com to cgi.com using the Active Directory Migration Tool (ADMT). The Active Directory Migration Tool (ADMT) is used to perform intraforest or interforest object migrations. However, ADMT cannot be used to import objects from comma-delimited files.
Reference:
1. Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure - Module 4: Implementing User, Group, and Computer Accounts
- Lesson: Implementing User Principal Name Suffixes - All
2. Windows Server 2003 Help - Search
- To add user principal name suffixes
ASKER
ok I will call SAGE software (MAS500 creators) to triple check joining the SQL server to another domain.
"If you ask my opinion, it is much easier to dissolve DOMAIN1. By using ADMT (Active Directory Migration Tool) you would transfer users and policies easily"
you are not the first person to say that. However If I dissolve DOMAIN1 I will have to rejoin 50+ workstations to DOMAIN2. While I have seen a few handy scripts, the biggest drawback will be the client perception. They will loose all the stuff on there desktop, unless I run a FAST (Files and Settings Transfer Wizard) and that will take 3 hours per machine. In there minds they are thinking "My computer works fine, why are you messing with it?"
... unless there you know of an script that will keep the desktop the same? (but that will be a different thread :-) )
"And I don't recommend TS to hold the FSMOs, it is even not a good idea to keep TS as a DC"
I wholeheartedly agree. However the TS is already a DC (before my time). My plan to have the current old TS as a DC and holding the FSMO's would be only for 48 hours or so.
My intention is not to challenge your advice, if there is a flaw in my thinking PLEASE poke holes in it. I have no ego to bruise.
cheers
chad