Solved

2 forests, same domain name, same network, what i need to be careful ?

Posted on 2007-04-03
5
483 Views
Last Modified: 2012-05-05
I would like to know the impact if 2 separate forest (2003 server)  in the same network have the same domain name?
The impact is it the same if i have 2 forest with the same domain name on 2 differant subnet and i route the two subnet to communicate each other?
0
Comment
Question by:WebHunter76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 8

Assisted Solution

by:RichardSlater
RichardSlater earned 30 total points
ID: 18845303
You are going to run into some major problems with that, the two domains could quite happily coexist on the same physical network however you would need to make special arrangements with DHCP (i.e. reservations on each domain for all devices). Communication between the two domains is probably going to be a big problem because there is no way to differentiate between the two.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 120 total points
ID: 18845500
If by communications you are trying to establish any sort of a trust relationship so that users in one domain will be able to access resources in the other, this will not be difficult...it will be impossible.  (Trust relationships cannot be created between two domains that have the same name under any circumstances.)

Additionally, you will experience issues with any sort of NetBIOS traffic, since NetBIOS will detect a conflict between the NetBIOS records for the two separate domains. Even if you remove NetBIOS conflicts from the picture, you will need to procedurally enforce uniqueness of FQDNs across the two domains, since DNS resolution will obviously go haywire if you have two separate IP addresses configured for server1.domain.com.

Frankly I think it's asking for more trouble than it's worth - I certainly wouldn't deploy something like you're describing onto a production network.  My $.02, anyway.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

0
 

Author Comment

by:WebHunter76
ID: 18847747
the main concern is that i want to recreate a new Active Directory forest with the same Name, so user will not be affected by the change (no local profile to copy) because the actual AD Structure is too bad i have to restart all from scratch ( actually  4 DC AD 2003 ( DHCP + DNS)+ 2 SQL all on the same class c subnet )  and i want to put only 2 DC with DHCP & DNS with windows 2003, SQL and exchange Server 2003 as member server and not at the same time DC as actually + a file server and finally a production server in a new class b subnet.  It is possible for me to have some maintenace periode but never more than 8 hours a week for the server.
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 120 total points
ID: 18847771
I certainly understand the desire to have a transparent migration process for your users. However, I can promise you to a nearly 100% certainty that you won't be able to pull off that kind of migration by standing up two forests with the same name on the same network.  It just plain won't work.

It's also worth noting that, even if you were to move UserA from ForestA(1) to ForestA(2), a new profile would be generated because ForestA(1)\UserA and ForestA(2)\UserA would possess different SIDs, which would screw up the permissions on the local profile -anyway-.

If your organization's tolerance for downtime is that low for a migration of that level of complexity, I might recommend investing in a third-party migration tool from someone like Quest or NetPro.  A tool like that has a dollar-value pricetag associated with it, but it will drastically cut down the amount of time your migration process will take.


0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 120 total points
ID: 18847814
Additionally, any migration tool is going to require (or at least =strongly recommend=) that a trust relationship exist between the source and target domains in order to perform the migration.  As I mentioned above, this is not possible when 2 domains have the same name.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question