[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Merging one domain into another, pitfalls?

Posted on 2009-12-16
Medium Priority
Last Modified: 2012-05-08
Our company currently has 2 domains.  MainDomain.local has 5 branches connected to it, and about 100 computers and 80 or so users.  Each branch also has a server that handles DHCP, DNS and acts as a file server for that branch.  The main branch also has an Exchange server that everyone connects to.  CampDomain.local has 8 users and about 10 computers.  They used to be on ISDN, which is why they were put on their own network.  Their server handles DNS, DHCP and file server duties.  They connected to the main site via VPN for Exchange, where they also had an account (each user at CampDomain essential had 2 logins).

I've finally been able to put them on a T1, so I want to get rid of the CampDomain and get everyone on MainDomain.  Is there a recommended way to do this?  Here's my current plan:

Back up the file server stuff.
Use dcpromo and remove all the roles on the CampDomain server.
Change the domain to MainDomain.
Change all the permissions on the file shares to the accounts on MainDomain.
Set up DNS and DHCP.
Change the domain on the client computers to MainDomain.
See what that breaks and possibly set up each user fresh on their computer.

I'm guessing there is an easier way to migrate these together that I don't know about.  I'm sure I'm missing some things that are going to go wrong as well.  Thanks!
Question by:AdamYMCA
  • 2
LVL 19

Accepted Solution

PeteJThomas earned 1000 total points
ID: 26070660
Ever heard of the ADMT? (http://www.microsoft.com/downloads/details.aspx?familyid=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en) It's a migration tool from Microsoft, which when used properly, should allow you to migrate all the objects from your CampDomain to your MainDomain.

Do you already have a trust set up between these 2 domains?

This is the way I would do it - Create a trust between the 2 domains. Use ADMT to migrate all objects from CampDomain to MainDomain, including the piece on SIDHistory, which will allow the users that get migrated to continue to access resources on their old domain without any changes. This helps a lot to ensure continuity during the migration.

Once your users and clients etc are nicely over to the new domain, and all have their new profiles on their PCs etc, you can start to bring your member servers across to the new domain as well, 1 by 1, testing each thoroughly as you go.

Finally, when everything is across and using the new domain completely, you can demote the CampDomain DC (thus deleting the domain if it's the only DC for that domain), make it a member of the new domain, and then repromote to DC status...

Well, that's it in a nutshell, at least...

I could prattle on for ages on the use of ADMT, but it's easier to provide you with some reading material to get a better idea of how it works.

Have a look through these:


Don't worry that the versions of OS are slightly different, just use the articles to get a better idea of how it all works... Then come back and we can continue to discuss and answer questions etc.


LVL 70

Assisted Solution

KCTS earned 1000 total points
ID: 26070799
You cant actually "merge" two domains together, or for that matter split them apart, there is no facility to "prune and graft" in active directory.

You essentially have two options. You can join the two domains with a trust which will allow users in one domain to access resources in the other - see http://technet.microsoft.com/en-us/library/cc740018(WS.10).aspx

or you can export all of active directory data from one domain, import it into the other and then decommission the old domain - the tool to move the AD information is the ADMT tool to which PeteJThomas has already drawn your attention to.

Author Comment

ID: 26074010
Bleh, it deleted my comments.  I'm going to work on setting up a trust and see if that will be enough.  Thanks for you help!  When I run into issues I'll post a new question.
LVL 19

Expert Comment

ID: 26074109
To be fair, there's no reason a trust wouldn't work for you. You'll essentially then be able to give users from each domain permissions to access resources on the other domain.

If that's all you need to do, and have no specific need to decommision the CampDomain, then it's your best option. Plus it's a hell of a lot easier... and the implications of a trust failure are far less than that of a migration failure... :)


Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question