Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Consolidating Root and Child AD Domains

Posted on 2010-09-17
9
Medium Priority
?
1,088 Views
Last Modified: 2012-05-10
Hello,

I have found several questions on EE on this topic, but a lot of them are really old and do not quite match my situation.  So here it goes.

I am doing domain upgrades at my company, and while I am at it, I wanted to restructure several things.

Here is the current situation.  One of the development environments has a separate AD Forest with two domains, one root, and one child.  Each domain has only single domain controller each, running Windows 2000 Server.  All of the users and computers are located in the child domain.  Root domain ONLY contains DC computer object, and has DNS service installed.  There are several user account but they are only used to login to that DC.  I have been at the company for less than a year but this domain has been setup several years ago.  No one can tell me why Root domain was setup and why it’s necessary now.  It looks like this:

domain.com – has dc1.domain.com Windows 2000 domain controller
ad.domain.com – has dc2.ad.domain.com Windows 2000 domain controller

Open in new window


The plan is to upgrade domain controllers to Windows 2008 R2 and raise domain and forest level to Windows 2008 R2.  However I am also trying to get rid of the root domain, to simplify things, and also to implement some redundancy by using both new purchased servers as DCs for “right now child domain”.  As it stands right now, only two new servers were approved for upgrade of root/child domains.  Even though this is a development environment, we can’t really afford for it to go down.

I have some articles that talk about merging domains, by using ADMT to move objects from one to another and then decommissioning the one.  However, all of my objects are located in Child domain.  Is there a way to remove root domain, making current child a root?  The goal would also be to retain NETBIOS and DNS name of the current child domain.  I started looking into Domain Rename process, but it does not really address consolidation part.

Any suggestions are welcomed,

Thanks,
Alex
0
Comment
Question by:Alexey91
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33701496
I think you may have to move all child objects to root domain unfortunately and then decommission child domain..

Have you looked at movetree?

http://support.microsoft.com/kb/238394
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33701680
It would have to be ADMT or another third party tool (Quest or NetIQ for example).    By the way what you want to do is also referred to as "prune and graft" and it is one of the most requested features in AD (I.e. doing it without a migration).   Right now that feature is not available   http://blogs.technet.com/b/activedirectoryua/archive/2009/10/01/mergers-acquisitions-or-reorganizations-may-have-you-considering-active-directory-restructuring.aspx
So for some historical perspective that domain was setup that way because they used the "empty root"  design and that for the majority of AD's life had been the dominant design strategy (thinking was to enhance security.  That really isn't the case anymore and the DS team even addressed this (see the empty root question)
http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx
In your case I'd just leave the empty root versus a full migration/consolidation .
Thanks
Mike
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33716117
mkline71, thanks for that information.  As you say, you would just leave it as is, as well as I have read the same in some of the reference articles that you provided.  They say that the gain is not worth the effort.  However as everyone's environment is different I think that in our case it could be worth the effort.

Currently things are a bit slow in our group so I would have time to properly plan everything out.  But most importantly if I leave it with 2 domains that would mean that I will have only single DC for each domain, where as if I combine domains I will get 2 DCs for my one domain.  There were only two servers approved and no ifs and buts.

So as I understand it now, in order to accomplish what I need I would have to first use ADMT to migrate user, computer, and groups objects.  Can it migrate Group Policy objects?  Also can I use Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name.  In other words, can I rename a root domain from domain.com to ad.domain.com.

Thanks
Alex
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33716667
Group policy you can migrate using GPMC  http://support.microsoft.com/kb/818736/en-us
If you have the time it is good.  
The domain rename (rendom) is not available in Windows 2000.  
So a couple things here, I know money is tight in this economy but if you can get a second DC up the sooner the better...just think if your sole DC crashes hard.
Windows 2000 is also not officialy supported anymore.  So if you run into issues you may be on your own. (in terms of Microsoft support)
Thanks
Mike
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33716958
Mike,

The whole project came about with domains upgrade to Windows Server 2008 R2.  That was the original objective.  I am just trying to include domain consolidation into this project.  So any consolidation or renaming steps I will be taking after complete upgrade of the whole domain environment to Windows 2008 R2.

So with this in mind, can I accomplish my renaming goals:  using Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name, renaming a root domain from domain.com to ad.domain.com.

Thanks,
Alex

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33717469
Once you get to 2003 or higher you can rename the domain using rendom.   Are you using exchange (certain versions don't support domain rename)

Thanks

Mike
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33717813
We don't have Exchange in our environment, we use Lotus Notes, so I think its a little easier.  I guess my last specific question is can root domain have a DNS name with more than two parts to it. in other words, can root be named

something2.something1.com

or can it only be

something.com

Thanks
Alex
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33717905
Either one would work,  the only issue can come when you name your domain the same as your public website.

example

company.com   users try to access public http://company.com

...there are ways to overcome that though.

Thanks
Mike
0
 
LVL 1

Author Comment

by:Alexey91
ID: 33719143
Mike, thanks for giving me direction and explaining empty root domain thing.

Alex
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question