Alexey91
asked on
Consolidating Root and Child AD Domains
Hello,
I have found several questions on EE on this topic, but a lot of them are really old and do not quite match my situation. So here it goes.
I am doing domain upgrades at my company, and while I am at it, I wanted to restructure several things.
Here is the current situation. One of the development environments has a separate AD Forest with two domains, one root, and one child. Each domain has only single domain controller each, running Windows 2000 Server. All of the users and computers are located in the child domain. Root domain ONLY contains DC computer object, and has DNS service installed. There are several user account but they are only used to login to that DC. I have been at the company for less than a year but this domain has been setup several years ago. No one can tell me why Root domain was setup and why it’s necessary now. It looks like this:
The plan is to upgrade domain controllers to Windows 2008 R2 and raise domain and forest level to Windows 2008 R2. However I am also trying to get rid of the root domain, to simplify things, and also to implement some redundancy by using both new purchased servers as DCs for “right now child domain”. As it stands right now, only two new servers were approved for upgrade of root/child domains. Even though this is a development environment, we can’t really afford for it to go down.
I have some articles that talk about merging domains, by using ADMT to move objects from one to another and then decommissioning the one. However, all of my objects are located in Child domain. Is there a way to remove root domain, making current child a root? The goal would also be to retain NETBIOS and DNS name of the current child domain. I started looking into Domain Rename process, but it does not really address consolidation part.
Any suggestions are welcomed,
Thanks,
Alex
I have found several questions on EE on this topic, but a lot of them are really old and do not quite match my situation. So here it goes.
I am doing domain upgrades at my company, and while I am at it, I wanted to restructure several things.
Here is the current situation. One of the development environments has a separate AD Forest with two domains, one root, and one child. Each domain has only single domain controller each, running Windows 2000 Server. All of the users and computers are located in the child domain. Root domain ONLY contains DC computer object, and has DNS service installed. There are several user account but they are only used to login to that DC. I have been at the company for less than a year but this domain has been setup several years ago. No one can tell me why Root domain was setup and why it’s necessary now. It looks like this:
domain.com – has dc1.domain.com Windows 2000 domain controller
ad.domain.com – has dc2.ad.domain.com Windows 2000 domain controllerThe plan is to upgrade domain controllers to Windows 2008 R2 and raise domain and forest level to Windows 2008 R2. However I am also trying to get rid of the root domain, to simplify things, and also to implement some redundancy by using both new purchased servers as DCs for “right now child domain”. As it stands right now, only two new servers were approved for upgrade of root/child domains. Even though this is a development environment, we can’t really afford for it to go down.
I have some articles that talk about merging domains, by using ADMT to move objects from one to another and then decommissioning the one. However, all of my objects are located in Child domain. Is there a way to remove root domain, making current child a root? The goal would also be to retain NETBIOS and DNS name of the current child domain. I started looking into Domain Rename process, but it does not really address consolidation part.
Any suggestions are welcomed,
Thanks,
Alex
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
mkline71, thanks for that information. As you say, you would just leave it as is, as well as I have read the same in some of the reference articles that you provided. They say that the gain is not worth the effort. However as everyone's environment is different I think that in our case it could be worth the effort.
Currently things are a bit slow in our group so I would have time to properly plan everything out. But most importantly if I leave it with 2 domains that would mean that I will have only single DC for each domain, where as if I combine domains I will get 2 DCs for my one domain. There were only two servers approved and no ifs and buts.
So as I understand it now, in order to accomplish what I need I would have to first use ADMT to migrate user, computer, and groups objects. Can it migrate Group Policy objects? Also can I use Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name. In other words, can I rename a root domain from domain.com to ad.domain.com.
Thanks
Alex
Currently things are a bit slow in our group so I would have time to properly plan everything out. But most importantly if I leave it with 2 domains that would mean that I will have only single DC for each domain, where as if I combine domains I will get 2 DCs for my one domain. There were only two servers approved and no ifs and buts.
So as I understand it now, in order to accomplish what I need I would have to first use ADMT to migrate user, computer, and groups objects. Can it migrate Group Policy objects? Also can I use Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name. In other words, can I rename a root domain from domain.com to ad.domain.com.
Thanks
Alex
Group policy you can migrate using GPMC http://support.microsoft.com/kb/818736/en-us
If you have the time it is good.
The domain rename (rendom) is not available in Windows 2000.
So a couple things here, I know money is tight in this economy but if you can get a second DC up the sooner the better...just think if your sole DC crashes hard.
Windows 2000 is also not officialy supported anymore. So if you run into issues you may be on your own. (in terms of Microsoft support)
Thanks
Mike
If you have the time it is good.
The domain rename (rendom) is not available in Windows 2000.
So a couple things here, I know money is tight in this economy but if you can get a second DC up the sooner the better...just think if your sole DC crashes hard.
Windows 2000 is also not officialy supported anymore. So if you run into issues you may be on your own. (in terms of Microsoft support)
Thanks
Mike
ASKER
Mike,
The whole project came about with domains upgrade to Windows Server 2008 R2. That was the original objective. I am just trying to include domain consolidation into this project. So any consolidation or renaming steps I will be taking after complete upgrade of the whole domain environment to Windows 2008 R2.
So with this in mind, can I accomplish my renaming goals: using Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name, renaming a root domain from domain.com to ad.domain.com.
Thanks,
Alex
The whole project came about with domains upgrade to Windows Server 2008 R2. That was the original objective. I am just trying to include domain consolidation into this project. So any consolidation or renaming steps I will be taking after complete upgrade of the whole domain environment to Windows 2008 R2.
So with this in mind, can I accomplish my renaming goals: using Domain Rename utility to rename Root domain with Child's Win2000 name (short name) as well as DNS name, renaming a root domain from domain.com to ad.domain.com.
Thanks,
Alex
Once you get to 2003 or higher you can rename the domain using rendom. Are you using exchange (certain versions don't support domain rename)
Thanks
Mike
Thanks
Mike
ASKER
We don't have Exchange in our environment, we use Lotus Notes, so I think its a little easier. I guess my last specific question is can root domain have a DNS name with more than two parts to it. in other words, can root be named
something2.something1.com
or can it only be
something.com
Thanks
Alex
something2.something1.com
or can it only be
something.com
Thanks
Alex
Either one would work, the only issue can come when you name your domain the same as your public website.
example
company.com users try to access public http://company.com
...there are ways to overcome that though.
Thanks
Mike
example
company.com users try to access public http://company.com
...there are ways to overcome that though.
Thanks
Mike
ASKER
Mike, thanks for giving me direction and explaining empty root domain thing.
Alex
Alex
Have you looked at movetree?
http://support.microsoft.com/kb/238394