New Domain or Upgrade?

Hi there,

We are looking to move to a 2008 functional level in our domain, and possibly to rename that domain (from *ourname*.com to *ourname*.local or some such).

We have approximately 30 servers and maybe 200 users.  Our AD structure is a mess right now, with over 500 security groups, a mess of redundant and pointless OU's, etc.  It seems like there would be a lot of benefit from creating a brand new domain, but a lot of pain as well.

This domain was, so far as I'm aware, created in NT4 and has been upgraded to the 2003 level that it's at now without ever having been blown away, so it seems like the time for it.

I'd like to know what best practice is, what the pros/cons of both sides of the coin are (upgrading this domain again or creating a new domain), and what you folks have done and the challenges you've faced.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i've done some upgrades and some new ones as well and i would say in your situation since its not failed and you need it up asap.... take the time to make your ad structure be easy to understand, it is a big deal.  there will be lots of problems and tons of tweaks and whatnot will be necessary, almost certainly things will break.  but after you do it once, its done and you'll be better for it.  what i would say best practice is to set up  the side domain and work it all out with test groups, then during a maintenance window go ahead take the plunge and cross your fingers
SR_TechAuthor Commented:
We're a large organization though, and can't afford to "cross our fingers", so to speak.  Any downtime would result in loss of revenue.

We were hoping, if we were to go with a new domain, that we'd be able to configure new servers (new VMs, that is) in a seperate VLAN and be able to slowly migrate users and servers over, while somehow still providing access to the users still in the old domain.  The logistics of that are yet to be determined, as we first need to figure out if the effort is worth it.
Adam BrownSr Solutions ArchitectCommented:
As is the answer with many AD questions, it depends. You may have less trouble just cleaning up your existing domain than moving things to a new forest. Cross Forest migrations can be a massive undertaking if you don't have a good plan and you could end up migrating to a forest that is just as messed up. It can be hard on techs and *really* hard on users as they will basically be doing things differently from the second you make the switch. You'll need to plan for vastly increased support demands as people get used to it and the kinks are worked out.

That said, you should consider the software you have running in your environment right now. For example, if you have Exchange running on your network, a domain rename is not possible and you would *have* to migrate to a new forest if you wanted to transition to a different domain name. Some software may not transition well from one domain to another, so be aware of what you're running and the requirements related to a forest migration.

In general, if the core of your AD is healthy, it is a lot easier to just clean things up, but that of course depends on how many of those security groups are being used for NTFS permissions, Shares, etc. AD is pretty good about upgrading, but if there's just too much there to clean up, starting over may be a good idea.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.


Instead of creating a new domain i would rather suggest to keep the same domain and work on plan and process to clear the clutter and avoid future culture. Looking into the amount of time spend that will be involved in migrating 30 servers, 200 users, rep remission, restructuring, It's better to fix the existing structure.

In case you have to migrate to new domain. The issues may surface out when you actually start working. You need to work on re permission of resources, printers, file servers etc for sure.

It all depends upon what you want to migrate and how smooth it's being running. There is not hard and fast rules as such so pro and cons however there can be best practices when planning new structure and migrating.


Hypercat (Deb)Commented:
I can't see any downside to creating a fresh domain except the amount of work involved, but the rewards would be great. Trying to modify your current structure would most likely be more time-consuming and certainly more problematical, because you're bound to run into issues along the way ("oh, I forgot that so-and-so needs access to that folder four levels down inside a shared resource....", etc.).

The key would be to take the time to outline your domain structure - from subnets to security groups to OUs and group policies - on paper before you start. This will allow you to do a lot of tweaking before you get too far down the road.  Depending on the complexity you actually need, you would want to get others in your company involved in helping you create the structure that will work best in your environment. You want to make sure they buy into the changes you're making and make them aware of how it will simplify their jobs instead of making them more complex.

Then, create your new domain off-line so that you can get everything set up the way you want it.  Add a few test workstations and make sure security groups, policies, etc., are working as expected. Then you can schedule moving everything from the old domain into the new one in a structured manner.
Adam BrownSr Solutions ArchitectCommented:
To make a couple additions to my earlier post, I'll give you a bit of an expectation. I've performed two Cross-Forest migrations for clients this year. One client had 1 server and about 50 users. Another client had 10 servers and 50 administrative users (In addition to 300 students, as it was an educational environment). The 1 server migration required a day of downtime and it was about a month before everyone was comfortable with the new system. There were a lot of bumps along the way and productivity was lower during the transition. This was due mostly to the fact that there was only a week or two to prepare for the change over. We didn't have enough information going in and got smacked in the head with problems when the switch was made. The other client allowed us about 2 months of preparation and planning for the migration, and it went a good deal smoother, but there were still a lot of bumps that had to be smoothed out. And we had a full week to work the transition in, and the reconfiguration of everyones devices took a full day after the transition was done. It's basically impossible to plan for every possible contingency in a Cross Forest Migration, and you *will* have some downtime and decreased productivity throughout the transition and afterward. Comparitively, I'm aware of a government contract to migrate a specific government network to Windows 2008 on a new domain. The contract is slated to take about 2 years.

I personally tend to take the opinion that any healthy AD can be reorganized with enough thought and understanding. You'll need to plan a reorganization justas you would a migration. The principal difference is that a reorganization can be done with little to no user impact. If it's done with the proper amount of planning, users won't even realize anything has changed. That's not likely to happen with a migration, since users will be logging in to a new domain name (You cannot have two same netbios Domain Names on a single network, and you will need to have both domains on a single network eventually so you can migrate data and systems) and a lot of other things will change.  

Ultimately, you'll *have* to get a strong understanding of your current environment for both strategies. Any problems you can run into with a reorganization will occur in a migration ("Oh wait, this user doesn't need to be in this group, that user does"). Try to figure out what you have now so you can better determine what you actually *need*.
I agree with 2-vnas.  Actually I would think that if you rename the domain .local, you will have to do extra configurations in the servers to handle the public domain.  For example, the email server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.