How should I upgrade 2 Trusted (1 2000/1 2003) forests to Windows 2008?

Posted on 2009-04-30
Last Modified: 2012-05-06
I have a client who currently has 2 separate forests.  1 contains 1 2000 DC, the other contains 1 2003 DC/File Server and 1 Exchange 2003 Server; they are trusted.  What would be the BEST way to do an upgrade to 2008 on new hardware on both forests.   Ideally I would have liked the 2000 forest to be a new parent in an existing forest but this is how I inherited the domain structure.  The 2000 domain uses exchange off of the 2003 domain so each time I have to create a dummy user account in the 2003 AD, disable it, and then link it to an external account on the 2000 DC.   I will getting new servers and converting everything to 2008 and setting up exchange 2007 too.  Should I  a) keep the existing forest structure and leave well enough alone or b) export the mailboxes to PSTs on 2000 domain user mailboxes, break the trust, and make the replacement 2008 server for the 2000 DC a new parent in an existing forest so I don't have to deal with trusts and what-not.   I understand this is alot more labor from my end because I'd have to reconfigure each PC in that particular domain because of the new SSIDs and then copy over their old profiles.  Does anyone have any other suggestions??
Question by:debbiez
    LVL 70

    Accepted Solution


    > a) ...

    This is a difficult question to answer because it depends on how well it works for you now against how you would like it to work for you in the future.

    It also depends on how much hardware you have available. Draw up something that describes what you want your forest to look like, then figure out if you have the hardware to migrate to a new forest, or if you'll need to restructure the current.

    Unless you have strong reasons for needing separate domains within a Forest I would avoid it. They don't provide you with a security boundary, and have higher administrative costs as well as hardware and software (because you need more hardware to make a fault tolerant forest).

    > and make the replacement 2008 server for the 2000 DC a new parent in an existing
    > forest so I don't have to deal with trusts and what-not

    What do you mean here? Because you cannot introduce a new root domain into a forest. You could create a disjointed name space and make this the root of a tree, but that would still mean you need to maintain a separate root domain.

    > because I'd have to reconfigure each PC in that particular domain because of the
    > new SSIDs and then copy over their old profiles

    If you can use ADMT then you can skip that step. It would require a trust between the source and destination domains but it will reconfigure the PC / Profile for you if told to.


    Author Comment

    I'm sorry I meant creating a disjointed name space.  The company wants to keep it this way instead of having just one domain name space.  I just figured for exchange administration this would be the way to go instead of 2 separate forests.
    LVL 70

    Expert Comment

    by:Chris Dent

    Okay, makes sense. As long as you remember you can't lose the forest root domain :) It's still not what I would recommend as a setup, but I can certainly appreciate that politics tends to make life less than ideal sometimes :)


    Author Comment

    I would like to just have 1 domain myself... if I COULD convince them of that would ADMT would allow me to export the users from forest B to forest A.  Now the way the exchange mailboxes are setup now is that I have disabled user account in forest A that have exchange mailboxes bound to user accounts in forest B.  When I setup the exchange 2007 and move all the mailboxes, which I think is going to be the first thing I tackle, unless that's not the best approach, forest A and B will still be intact.   IF I do decide to get everything down to one domain am I going to lose my association with mailboxes for forest B?  If my forest root domain is intact and I then just make forest B's new server (which will be new hardware) into a member server of the root domain, use ADMT to get the users from the old 2000 server (Forest B) into the root domain AD will I be able to keep the mailbox association?  Sorry I'm stating this wrong but I hope you get the idea :)

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now