Solved

Intra-Forest Domain Consolidation

Posted on 2008-06-25
4
1,812 Views
Last Modified: 2012-05-05
My questions are more of a sanity check so I'd deeply appreciate your response.  I have a Windows 2003 Active Directory forest with two domains (forest root - DOMAIN 1 and a child domain - DOMAIN 2).  I'd like to consolidate the two domains into a single domain.  I'd like to use ADMT v3 for the consolidation/migration.  My questions are as follows:

1.  What is the recommended migration path for the domain consolidation?  Is it possible to migrate the objects in the forest root domain to the child domain or is the only migration path that is available is from the child domain to the forest root domain?  

2.  Are there KB articles from Microsoft that discuss the best practices and/or recommendations regarding the migration path?  

Thanks in advance!
0
Comment
Question by:tbaik
  • 2
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21872787

You don't need ADMT at all.

You can use MoveTree to move objects (I suspect Computer Accounts won't work well, but everything else should) between Domains in a single Forest. I've used it in the past with great success.

This is the MS KB article dedicated to it:

http://support.microsoft.com/kb/238394

There are a few reasons for it being better than ADMT in this situation:

1. Any connection to an Exchange Mailbox is maintained (the mailbox can be moved between servers separately, as required).

2. It maintains the SID, all rights associated with the account (including user profiles and such if I remember correctly.

The only downside is that you must remove the user from any non-universal groups prior to using the tool. As soon as the move is complete they can be re-added if applicable.

HTH

Chris
0
 

Author Comment

by:tbaik
ID: 21874584
Chris-Dent,

Thanks for your response.  I guess I wasn't looking so much as to which tool to use as much as whether it's possible to migrate all of the objects and groups from the forest root domain to the child domain.  I'm asking because I thought I read somewhere that it's not possible to migrate built-in accounts and that would affect groups like Enterprise Admins and Schema Admins groups.  However I would like to verify this.  If it is possible, I would appreciate guidance in terms of KB articles.

Thanks again!

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21874665

I'm sorry, I didn't read it in the correct order above. I was treating it as you wanting to fold the Child Domain into the Root (rather than the other way around).

You won't be able to get rid of the Root Domain, you cannot make a Child Domain the Forest Root at this stage.

You cannot move built-in security principals (such as the built-in groups) from the root domain to a child.

It's referenced in part here, although not in a lot of detail:

http://technet2.microsoft.com/windowsserver/en/library/86e371df-ca03-4366-9b01-7a13fbcab6351033.mspx?mfr=true

It does, however, clearly state that you cannot remove a domain if it has children.

Chris
0
 

Author Comment

by:tbaik
ID: 21876930
Chris-Dent,

Thank you very much for your response.  I appreciate it!!

0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft DNS on Windows Server 2012 R2 10 60
Event ID 29 KDC Win 2008 R2 DC 6 16
Active Directory Design - Best Practice 9 47
DNS server pulling non-authorative answer 3 29
Synchronize a new Active Directory domain with an existing Office 365 tenant
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question