We help IT Professionals succeed at work.

Merge two active directory domains with same name into a single domain

Dali2012
Dali2012 asked
on
1,594 Views
Last Modified: 2012-02-08
Hello, currently we have two DCs in two physical locations, one in UK and one in US. Both domains have the same name, say comp.com. User accounts are different in each domain.

We're changing the infrastructure to the cloud and the idea is to merge the two existing domains into a single domain. One DC is Win Server 2008 and the other is Win 2008 R2.

What would be the best way to achieve this so that users don't have to reset their passwords? I can create a private VPN between the two locations.

Once the new merged DC is created I would setup replication between US and UK so that a user created in either UK or US would exist in both locations. So if UK site goes down then uk users would be able to login into the US site and continue their work.

Thanks
Comment
Watch Question

Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Sorry, not possible through any means I've ever heard of.

Even using ADMT, you cannot synchronize passwords.  As I understand the passwords, they are a one-way encryption - a hash is created for the password when set and the only way to know what that hash is is to know the password that created it.  Users will HAVE to reset their passwords.

The cloud is an annoying term that may mean just about anything depending on the circumstance and who you're talking to.  As does the phrase "changing the infrastructure to the cloud" - what exactly do you mean by this?

If you want to "merge" two identically named domains, assuming they were NEVER part of the same domain (meaning, someone didn't take a DC from one network and seize the FSMO roles to create a new identical network), then ASSUMING one (or both) sites don't use Exchange, you may be able to rename the domain on one end.  Then you can use ADMT and migrate users from one domain to the other - the passwords will still require resetting, but at least the SIDs will be preserved and in turn permissions and user profiles.

That said, depending on the size of the network, I would personally not use ADMT.  It creates a SID history for users and is, in my opinion, a messy way of doing things.  I would PREFER to create a script to create all the users from one domain in the new domain and set things up cleanly.  Yes, it's more of a hassle in the short term, but in the long term, it could prove to be the wiser decision.

Author

Commented:
Thanks Leew, I agree 100%, cloud IS an annoying term lol. It doesn't really apply to what I'm trying to do here. Basically we'll be moving the DC in UK from a dedicated server to its on VM, and then decommission the dedicated DC.

I'm thinking the best would be to set up a brand new DC in the new VM, and then manually import users and groups from two existing domains. Permissions I can setup via a script and user profiles aren't an issue if they don't get copied over. This would probably be the easiest since passwords will be lost no mater what. This takes care of UK.

How would I now demote the existing DC in US, and create a new DC in US that will replicate with the newly "merged" DC in UK? Either site can create users and reset passwords and user can choose whether to login to a US server or a UK server. Trust won't work because if US goes down all users in both locations should be able to login to UK and vice versa.

Any thoughts?

Thanks
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Unless you have a really small couple of offices, I would recommend 2 DCs at each site.  As a worse case scenario, users should be able to log in with cached credentials but of course, you need a DNS server accessible to each side regardless.

I wouldn't recommend two domains though.  The one should be fine and if you want to build clean and script/import users that way, that's fine.  (In many ways with a major reconstruction like this, I would probably recommend that).

Author

Commented:
So we have 150 users in US site and 160 users in UK site. Users connect to Terminal Services to do their work. We have a different DNS for each site. For example to connect to UK terminal server they use uk.company.com and for us they use uk.company.com

But I think what you mean by DNS is the DNS for the active directory which is just company.com so regardless of in which location they are their full user name is always company.com\john. We use AD integrated DNS.

The new DC will then have about 310 users. Your suggestion is for each site to have 2 DCs which makes sense but we are a bit limited by resources. I'll have to see if I can spawn a new VM in each site to handle AD replication.

What is then the best approach to create the multimaster replication between the two sites, for example between US-DC1 and UK-DC1? Or would all 4 DCs need the multi-master replication?

[   company.com     domain   ]
US-DC1     <--------->    UK-DC1  
US-DC2                         UK-DC2

Thanks!
Technology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.