Solved

Intra-Forest Domain Consolidation

Posted on 2008-06-25
4
1,808 Views
Last Modified: 2012-05-05
My questions are more of a sanity check so I'd deeply appreciate your response.  I have a Windows 2003 Active Directory forest with two domains (forest root - DOMAIN 1 and a child domain - DOMAIN 2).  I'd like to consolidate the two domains into a single domain.  I'd like to use ADMT v3 for the consolidation/migration.  My questions are as follows:

1.  What is the recommended migration path for the domain consolidation?  Is it possible to migrate the objects in the forest root domain to the child domain or is the only migration path that is available is from the child domain to the forest root domain?  

2.  Are there KB articles from Microsoft that discuss the best practices and/or recommendations regarding the migration path?  

Thanks in advance!
0
Comment
Question by:tbaik
  • 2
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You don't need ADMT at all.

You can use MoveTree to move objects (I suspect Computer Accounts won't work well, but everything else should) between Domains in a single Forest. I've used it in the past with great success.

This is the MS KB article dedicated to it:

http://support.microsoft.com/kb/238394

There are a few reasons for it being better than ADMT in this situation:

1. Any connection to an Exchange Mailbox is maintained (the mailbox can be moved between servers separately, as required).

2. It maintains the SID, all rights associated with the account (including user profiles and such if I remember correctly.

The only downside is that you must remove the user from any non-universal groups prior to using the tool. As soon as the move is complete they can be re-added if applicable.

HTH

Chris
0
 

Author Comment

by:tbaik
Comment Utility
Chris-Dent,

Thanks for your response.  I guess I wasn't looking so much as to which tool to use as much as whether it's possible to migrate all of the objects and groups from the forest root domain to the child domain.  I'm asking because I thought I read somewhere that it's not possible to migrate built-in accounts and that would affect groups like Enterprise Admins and Schema Admins groups.  However I would like to verify this.  If it is possible, I would appreciate guidance in terms of KB articles.

Thanks again!

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

I'm sorry, I didn't read it in the correct order above. I was treating it as you wanting to fold the Child Domain into the Root (rather than the other way around).

You won't be able to get rid of the Root Domain, you cannot make a Child Domain the Forest Root at this stage.

You cannot move built-in security principals (such as the built-in groups) from the root domain to a child.

It's referenced in part here, although not in a lot of detail:

http://technet2.microsoft.com/windowsserver/en/library/86e371df-ca03-4366-9b01-7a13fbcab6351033.mspx?mfr=true

It does, however, clearly state that you cannot remove a domain if it has children.

Chris
0
 

Author Comment

by:tbaik
Comment Utility
Chris-Dent,

Thank you very much for your response.  I appreciate it!!

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now