We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


New Domain Build vs Migration

Medium Priority
Last Modified: 2012-05-11
I have a parent child domain with about 450 users.  We have approximately 14 security groups and two shares.  We also have approximately 4 GP's redirecting MyDocuments, mapping the shares, and applying settings.  It's not an extremely complicated setup.  

The current Active Directory is at leat 6 or 7 years old maybe more.  I'd like to get some opinions on what is best and the pros and cons of either.  Should I build a completely new forest, domain, etc. or should I just bring up new servers and import everything from the current domain?  I am concerned about bringing over any problems from the current active directory.  I inherited the network in 2004 and I do not know what occured before then.  We also lost an Exchange server about 2 years ago that had to be forcefully deleted from the Domain.  The current domain has four physical servers all with Microsoft Server 2003 and one running Exchange 2003.

I purchased three new physical servers and a EMC SAN with the intension to redo everything going Virtual with ESXi VMware.  The hardware is now setup with the EMC VNX SAN and ESXi on the servers ready to go.  We will be running several virtual Windows 2008 servers and Exchange 2010.

Start clean or migrating?  What are the concerns about migration?  Opinions?  
Watch Question

JamesSenior Cloud Infrastructure Engineer

Why do you not want to stick with the current Active Directory Topology you have? Is there a need to create a new Forest?
Top Expert 2013

There is a lot (emphasis on a lot) more work involved in a migration vs standing up new DCs and eventually removing your old DCs.  

What sort of problems are you seeing in your current AD.  

Network Engineer
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Svet PaperovIT Manager

Migration is much easier. I cannot even imagine the amount of work that need to be done moving around 450 users with their Exchange accounts, groups, etc. between two forests. Unless you have several highly motivated guys ready to work for a full weekend, you would need to support both forest for a long time.
JamesSenior Cloud Infrastructure Engineer

I would recommend migration to your new Servers. There is no need to create a new Forest. With-in your current Active Directory Topology, you have Parent - Child Domain. This means you have 5 FSMO Roles and they are created on the first DC installed in the Forest. With a Child Domain you will have 3 FSMO Roles. In a Forest there can only be 2 Forest Wide Roles, The Schema Master Roles and The Domain Naming Master Role. The other 3 FSMO Roles are Domain Wide, The PDC Emulator, The Infrastructure Master Role and then the RID Master Role.

Make sure you know which Domain Controllers are holding these Roles. You will have to prepare the Schema for the integration of Windows Server 2008 to the domain. You will have to run Forest/Prep and Domain/Prep.

I would then suggest that the first Windows Server 2008 Server you install and promote to a DC that you then transfer the FSMO Roles. Also, be understanding of the Forest and Domain Functional Levels and check which Level they are at. Be sure not to raise these levels until your current infrastructure is at 2008 Level.

Active Directory will replicate to the new DC and so will DNS when you add this roles to the 2008 DC or DCs. You will be able to move the DHCP databases to the 2008 DC or DCs also.

kevinhsiehNetwork Engineer

I would look at collapsing the child domain into the parent domain. There isn't really any technical argument for having two domains, and there are lots of reasons not to (like you should have 4 domain controllers).


Thanks for all the great advice so far.  I guess I should add a little more detail.  I have already notified the 420 OWA only users that email will be lost during the build.  They should have already backed up any important emails.  The other more critical users, approximately 20, have pst files on their local machine that we would re-import after the build.  If done as a complete rebuild all accounts will be recreated and there would be no need to move any exchange info.

The new servers and domain will need to be setup and the proper roles applied.  This would have to be done regardless except we would be moving roles over if we were to migrate.  Unless I'm mistaken I believe the biggest task here will be physically entering in the account info for each account.  I have a spread sheet to copy and paste from.  I timed it at about 45 seconds to create one account.  Two people should be able to recreate the accounts in a little over 3 hours.  

We have approximately 14 security groups and two shares that have rights from the groups along with about 4 GP's.  All 'My Documents' folders are created on first login as a roming profile.  There is only one share on each of our two file servers that are mapped from a GP logon script.  The shares each have department folders with permissions applied by security group.  Storage space is limited by Disk Quotas.  We could move the two shares and 20 'My Documents' folders to a removable hard drive temporarily.  This should really take no more than a couple hours at most to setup.  I origionally re-designed the file structure and security a few years ago to be very simple and straight forward.

I guess my main question here is what are the pros and cons of keeping the current active direcrotry forest or completely rebuilding?  Is there a potential of any probelms transferring over?  What about anything thast was imporperly removed, SIDS and GUIDS, years of reimaging computers, the exchange  server that could not be removed properly, etc...  Are there are any chances of future problems from any of this or is that impossible?  

Also, I am not the origional builder of this domain.  I inherited it about 5 years ago, so I have no idea of what was previously done.  I don't know how old it is, if it was origionaly migrated from an NT 4.0 domain, etc.  I guess the uncertainty is a little troubling.  I havent really noticed any major problems with it over the years.  I have noticed there are a lot of unknown GUID's when looking at security on certain things.  I also remember having some trouble changing server roles a while back but on certain servers.



Good answer just missed some details I was looking for between two methods.  Thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.