New Domain Build vs Migration

Posted on 2011-04-26
Last Modified: 2012-05-11
I have a parent child domain with about 450 users.  We have approximately 14 security groups and two shares.  We also have approximately 4 GP's redirecting MyDocuments, mapping the shares, and applying settings.  It's not an extremely complicated setup.  

The current Active Directory is at leat 6 or 7 years old maybe more.  I'd like to get some opinions on what is best and the pros and cons of either.  Should I build a completely new forest, domain, etc. or should I just bring up new servers and import everything from the current domain?  I am concerned about bringing over any problems from the current active directory.  I inherited the network in 2004 and I do not know what occured before then.  We also lost an Exchange server about 2 years ago that had to be forcefully deleted from the Domain.  The current domain has four physical servers all with Microsoft Server 2003 and one running Exchange 2003.

I purchased three new physical servers and a EMC SAN with the intension to redo everything going Virtual with ESXi VMware.  The hardware is now setup with the EMC VNX SAN and ESXi on the servers ready to go.  We will be running several virtual Windows 2008 servers and Exchange 2010.

Start clean or migrating?  What are the concerns about migration?  Opinions?  
Question by:rickreeves
    LVL 15

    Expert Comment

    Why do you not want to stick with the current Active Directory Topology you have? Is there a need to create a new Forest?
    LVL 57

    Expert Comment

    by:Mike Kline
    There is a lot (emphasis on a lot) more work involved in a migration vs standing up new DCs and eventually removing your old DCs.  

    What sort of problems are you seeing in your current AD.  

    LVL 41

    Accepted Solution

    I would migrate to your new servers. Making a few changes using ADSIedit to cleanup some bad configuration information is a lot easier than trying to replicate everything you have working properly into a new environment.
    LVL 20

    Expert Comment

    by:Svet Paperov
    Migration is much easier. I cannot even imagine the amount of work that need to be done moving around 450 users with their Exchange accounts, groups, etc. between two forests. Unless you have several highly motivated guys ready to work for a full weekend, you would need to support both forest for a long time.
    LVL 15

    Expert Comment

    I would recommend migration to your new Servers. There is no need to create a new Forest. With-in your current Active Directory Topology, you have Parent - Child Domain. This means you have 5 FSMO Roles and they are created on the first DC installed in the Forest. With a Child Domain you will have 3 FSMO Roles. In a Forest there can only be 2 Forest Wide Roles, The Schema Master Roles and The Domain Naming Master Role. The other 3 FSMO Roles are Domain Wide, The PDC Emulator, The Infrastructure Master Role and then the RID Master Role.

    Make sure you know which Domain Controllers are holding these Roles. You will have to prepare the Schema for the integration of Windows Server 2008 to the domain. You will have to run Forest/Prep and Domain/Prep.

    I would then suggest that the first Windows Server 2008 Server you install and promote to a DC that you then transfer the FSMO Roles. Also, be understanding of the Forest and Domain Functional Levels and check which Level they are at. Be sure not to raise these levels until your current infrastructure is at 2008 Level.

    Active Directory will replicate to the new DC and so will DNS when you add this roles to the 2008 DC or DCs. You will be able to move the DHCP databases to the 2008 DC or DCs also.

    LVL 41

    Expert Comment

    I would look at collapsing the child domain into the parent domain. There isn't really any technical argument for having two domains, and there are lots of reasons not to (like you should have 4 domain controllers).

    Author Comment

    Thanks for all the great advice so far.  I guess I should add a little more detail.  I have already notified the 420 OWA only users that email will be lost during the build.  They should have already backed up any important emails.  The other more critical users, approximately 20, have pst files on their local machine that we would re-import after the build.  If done as a complete rebuild all accounts will be recreated and there would be no need to move any exchange info.

    The new servers and domain will need to be setup and the proper roles applied.  This would have to be done regardless except we would be moving roles over if we were to migrate.  Unless I'm mistaken I believe the biggest task here will be physically entering in the account info for each account.  I have a spread sheet to copy and paste from.  I timed it at about 45 seconds to create one account.  Two people should be able to recreate the accounts in a little over 3 hours.  

    We have approximately 14 security groups and two shares that have rights from the groups along with about 4 GP's.  All 'My Documents' folders are created on first login as a roming profile.  There is only one share on each of our two file servers that are mapped from a GP logon script.  The shares each have department folders with permissions applied by security group.  Storage space is limited by Disk Quotas.  We could move the two shares and 20 'My Documents' folders to a removable hard drive temporarily.  This should really take no more than a couple hours at most to setup.  I origionally re-designed the file structure and security a few years ago to be very simple and straight forward.

    I guess my main question here is what are the pros and cons of keeping the current active direcrotry forest or completely rebuilding?  Is there a potential of any probelms transferring over?  What about anything thast was imporperly removed, SIDS and GUIDS, years of reimaging computers, the exchange  server that could not be removed properly, etc...  Are there are any chances of future problems from any of this or is that impossible?  

    Also, I am not the origional builder of this domain.  I inherited it about 5 years ago, so I have no idea of what was previously done.  I don't know how old it is, if it was origionaly migrated from an NT 4.0 domain, etc.  I guess the uncertainty is a little troubling.  I havent really noticed any major problems with it over the years.  I have noticed there are a lot of unknown GUID's when looking at security on certain things.  I also remember having some trouble changing server roles a while back but on certain servers.


    Author Closing Comment

    Good answer just missed some details I was looking for between two methods.  Thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now