Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Intra-Forest Domain Consolidation

Posted on 2008-06-25
4
Medium Priority
?
1,816 Views
Last Modified: 2012-05-05
My questions are more of a sanity check so I'd deeply appreciate your response.  I have a Windows 2003 Active Directory forest with two domains (forest root - DOMAIN 1 and a child domain - DOMAIN 2).  I'd like to consolidate the two domains into a single domain.  I'd like to use ADMT v3 for the consolidation/migration.  My questions are as follows:

1.  What is the recommended migration path for the domain consolidation?  Is it possible to migrate the objects in the forest root domain to the child domain or is the only migration path that is available is from the child domain to the forest root domain?  

2.  Are there KB articles from Microsoft that discuss the best practices and/or recommendations regarding the migration path?  

Thanks in advance!
0
Comment
Question by:tbaik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21872787

You don't need ADMT at all.

You can use MoveTree to move objects (I suspect Computer Accounts won't work well, but everything else should) between Domains in a single Forest. I've used it in the past with great success.

This is the MS KB article dedicated to it:

http://support.microsoft.com/kb/238394

There are a few reasons for it being better than ADMT in this situation:

1. Any connection to an Exchange Mailbox is maintained (the mailbox can be moved between servers separately, as required).

2. It maintains the SID, all rights associated with the account (including user profiles and such if I remember correctly.

The only downside is that you must remove the user from any non-universal groups prior to using the tool. As soon as the move is complete they can be re-added if applicable.

HTH

Chris
0
 

Author Comment

by:tbaik
ID: 21874584
Chris-Dent,

Thanks for your response.  I guess I wasn't looking so much as to which tool to use as much as whether it's possible to migrate all of the objects and groups from the forest root domain to the child domain.  I'm asking because I thought I read somewhere that it's not possible to migrate built-in accounts and that would affect groups like Enterprise Admins and Schema Admins groups.  However I would like to verify this.  If it is possible, I would appreciate guidance in terms of KB articles.

Thanks again!

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 21874665

I'm sorry, I didn't read it in the correct order above. I was treating it as you wanting to fold the Child Domain into the Root (rather than the other way around).

You won't be able to get rid of the Root Domain, you cannot make a Child Domain the Forest Root at this stage.

You cannot move built-in security principals (such as the built-in groups) from the root domain to a child.

It's referenced in part here, although not in a lot of detail:

http://technet2.microsoft.com/windowsserver/en/library/86e371df-ca03-4366-9b01-7a13fbcab6351033.mspx?mfr=true

It does, however, clearly state that you cannot remove a domain if it has children.

Chris
0
 

Author Comment

by:tbaik
ID: 21876930
Chris-Dent,

Thank you very much for your response.  I appreciate it!!

0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question