W2K3 Forest Trust roll-back
Hi - we are in the process of merging two companies and looking at implementing a 2 way forest trust.
Both companies are operating AD at 2003 functional level. Our DC's are running on server2008R2 in a vmware environment.
Can anyone offer some advice as to a roll-back plan? We are confident with the steps involved to establish the forest trust and have been doing some tests in an isolated environment but not sure of what to expect in a worst case scenario?
Thanks
Shaughn
Both companies are operating AD at 2003 functional level. Our DC's are running on server2008R2 in a vmware environment.
Can anyone offer some advice as to a roll-back plan? We are confident with the steps involved to establish the forest trust and have been doing some tests in an isolated environment but not sure of what to expect in a worst case scenario?
Thanks
Shaughn
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forest trusts are a form of credentialling; you're exchanging tokens that permit one AD forest to automatically authenticate users in the other forest to access resources.
Rollback is easy: delete the authorization in forest A and forest B users can no longer access its resources.
Rollback is easy: delete the authorization in forest A and forest B users can no longer access its resources.
thank You for your comments. If the forest trust does not stablish properly, could we have any big authentication issues? We might need to go back to our AD backups and restore all DCs across all sites. Is that correct?
If you have problems establishing the trust, you will have issues with users in forest A accessing resources in forest B (and vice-versa). Unless you have inherent issues in ether forest to begin with (you've run a dcdiag to see how healthy they are, right?), you won't have any intra-forest issues after attempting to set up the trust--succeed or not.
ASKER
Hi millardjk, thank you for all your replies.
Yes, you are right. DCdiag shows no errors. Server healthy on my end. Not sure our sister company. I'll ask them if they have run it fo reasurance as I know they were having issues. I have advised them to take AD backups from all their DCS. I am just concerned as their systems had a couple of major glitches lately. If the trusts are not sucessful we can always delete the authorization, right?
Just one more thing, if the trust is sucessful PC's will get a scrolldown menu with the second domain/forest, right?
Is there anything else we would need to do?
Will exchange synch contacts, GAL?
Many thanks
Yes, you are right. DCdiag shows no errors. Server healthy on my end. Not sure our sister company. I'll ask them if they have run it fo reasurance as I know they were having issues. I have advised them to take AD backups from all their DCS. I am just concerned as their systems had a couple of major glitches lately. If the trusts are not sucessful we can always delete the authorization, right?
Just one more thing, if the trust is sucessful PC's will get a scrolldown menu with the second domain/forest, right?
Is there anything else we would need to do?
Will exchange synch contacts, GAL?
Many thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For roll back, you just need to revert the steps that will be used to create the trust.