• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

New Domain Build vs Migration

I have a parent child domain with about 450 users.  We have approximately 14 security groups and two shares.  We also have approximately 4 GP's redirecting MyDocuments, mapping the shares, and applying settings.  It's not an extremely complicated setup.  

The current Active Directory is at leat 6 or 7 years old maybe more.  I'd like to get some opinions on what is best and the pros and cons of either.  Should I build a completely new forest, domain, etc. or should I just bring up new servers and import everything from the current domain?  I am concerned about bringing over any problems from the current active directory.  I inherited the network in 2004 and I do not know what occured before then.  We also lost an Exchange server about 2 years ago that had to be forcefully deleted from the Domain.  The current domain has four physical servers all with Microsoft Server 2003 and one running Exchange 2003.

I purchased three new physical servers and a EMC SAN with the intension to redo everything going Virtual with ESXi VMware.  The hardware is now setup with the EMC VNX SAN and ESXi on the servers ready to go.  We will be running several virtual Windows 2008 servers and Exchange 2010.

Start clean or migrating?  What are the concerns about migration?  Opinions?  
 
Thanks!
0
rickreeves
Asked:
rickreeves
  • 2
  • 2
  • 2
  • +2
1 Solution
 
JBond2010Commented:
Why do you not want to stick with the current Active Directory Topology you have? Is there a need to create a new Forest?
0
 
Mike KlineCommented:
There is a lot (emphasis on a lot) more work involved in a migration vs standing up new DCs and eventually removing your old DCs.  

What sort of problems are you seeing in your current AD.  

Thanks
Mike
0
 
kevinhsiehCommented:
I would migrate to your new servers. Making a few changes using ADSIedit to cleanup some bad configuration information is a lot easier than trying to replicate everything you have working properly into a new environment.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
Svet PaperovIT ManagerCommented:
Migration is much easier. I cannot even imagine the amount of work that need to be done moving around 450 users with their Exchange accounts, groups, etc. between two forests. Unless you have several highly motivated guys ready to work for a full weekend, you would need to support both forest for a long time.
0
 
JBond2010Commented:
I would recommend migration to your new Servers. There is no need to create a new Forest. With-in your current Active Directory Topology, you have Parent - Child Domain. This means you have 5 FSMO Roles and they are created on the first DC installed in the Forest. With a Child Domain you will have 3 FSMO Roles. In a Forest there can only be 2 Forest Wide Roles, The Schema Master Roles and The Domain Naming Master Role. The other 3 FSMO Roles are Domain Wide, The PDC Emulator, The Infrastructure Master Role and then the RID Master Role.

Make sure you know which Domain Controllers are holding these Roles. You will have to prepare the Schema for the integration of Windows Server 2008 to the domain. You will have to run Forest/Prep and Domain/Prep.

I would then suggest that the first Windows Server 2008 Server you install and promote to a DC that you then transfer the FSMO Roles. Also, be understanding of the Forest and Domain Functional Levels and check which Level they are at. Be sure not to raise these levels until your current infrastructure is at 2008 Level.

Active Directory will replicate to the new DC and so will DNS when you add this roles to the 2008 DC or DCs. You will be able to move the DHCP databases to the 2008 DC or DCs also.


JBond2010
0
 
kevinhsiehCommented:
I would look at collapsing the child domain into the parent domain. There isn't really any technical argument for having two domains, and there are lots of reasons not to (like you should have 4 domain controllers).
0
 
rickreevesAuthor Commented:
Thanks for all the great advice so far.  I guess I should add a little more detail.  I have already notified the 420 OWA only users that email will be lost during the build.  They should have already backed up any important emails.  The other more critical users, approximately 20, have pst files on their local machine that we would re-import after the build.  If done as a complete rebuild all accounts will be recreated and there would be no need to move any exchange info.

The new servers and domain will need to be setup and the proper roles applied.  This would have to be done regardless except we would be moving roles over if we were to migrate.  Unless I'm mistaken I believe the biggest task here will be physically entering in the account info for each account.  I have a spread sheet to copy and paste from.  I timed it at about 45 seconds to create one account.  Two people should be able to recreate the accounts in a little over 3 hours.  

We have approximately 14 security groups and two shares that have rights from the groups along with about 4 GP's.  All 'My Documents' folders are created on first login as a roming profile.  There is only one share on each of our two file servers that are mapped from a GP logon script.  The shares each have department folders with permissions applied by security group.  Storage space is limited by Disk Quotas.  We could move the two shares and 20 'My Documents' folders to a removable hard drive temporarily.  This should really take no more than a couple hours at most to setup.  I origionally re-designed the file structure and security a few years ago to be very simple and straight forward.

I guess my main question here is what are the pros and cons of keeping the current active direcrotry forest or completely rebuilding?  Is there a potential of any probelms transferring over?  What about anything thast was imporperly removed, SIDS and GUIDS, years of reimaging computers, the exchange  server that could not be removed properly, etc...  Are there are any chances of future problems from any of this or is that impossible?  

Also, I am not the origional builder of this domain.  I inherited it about 5 years ago, so I have no idea of what was previously done.  I don't know how old it is, if it was origionaly migrated from an NT 4.0 domain, etc.  I guess the uncertainty is a little troubling.  I havent really noticed any major problems with it over the years.  I have noticed there are a lot of unknown GUID's when looking at security on certain things.  I also remember having some trouble changing server roles a while back but on certain servers.

Thanks!
0
 
rickreevesAuthor Commented:
Good answer just missed some details I was looking for between two methods.  Thanks
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now