Solved

Joining two separate domains into one AD Sites and Services?

Posted on 2013-05-14
4
469 Views
Last Modified: 2013-06-24
I have been really struggling with what to do.  I don't know if this is the appropriate place to ask the question but I don't have much in the way of options.

I have two locations that currently operate independently.  We can call them domainone.com (main office) and domaintwo.com (remote manufacturing).  They both are on seperate /24 networks.

Each has it's own domain controller, terminal server, exchange server, and ERP.  All running Server 2008 R2.

We are currently connected to one another through two Talari boxes (think VPN tunnel using multiple ISP's with a sprinkle of wan op).  So we can access resources on both ends through this tunnel but can not resolve names.

The ERP application is being consolidated into one Database so must be served out of one location.  domaintwo.com will access this ERP application via published app in terminal services at domainone.com.

The goal is to provide the users in domaintwo.com with the best experience possible while also saving money and lowering support needs at domaintwo.com.  My initial plan had all data moving from domaintwo.com to domainone.com and having domaintwo.com use resources entirely through TerminalServices.  We do that now with another (smaller) site and that works well.  I worry about performance however, and various other issues that may crop up.  

It was suggested to me that instead it would be best to set up a new domain controller at domaintwo.com and join that domain controller to domainone.com.  Use migration tools or manually re-create the AD accounts for users who were previously domaintwo.com.  Also, we would need to create PST files for all mailboxes to import into domainone.com for the newly created mailboxes.  We would then need to re-auth all clients to the new domainone.com controller on site.

I believe this would use AD sites and services, but what about addressing?  Will I need to change addressing on both sites?  As I said each runs it's own /24 now.  If we pulled them both under one /24 address space 253 addresses would be a bit tight but doable.  Is it possible to run AD Sites and Services with each side having separate class and not really sub-netted?

Example being site A 192.168.1.0/24 and B being 192.168.2.0/24  From what I understand that isn't sub-netting as each is it's own class C with a 24 bit mask.  To subnet properly I would need a /23 or /22 correct??

I have been struggling with what to do and second guessing myself too long.  Any advice or thoughts on this would be welcome at this point.
0
Comment
Question by:-Darvin-
  • 2
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
here is what I would do in your case.  I do believe your mostly in the right direction though.


1)  setup a new DC like you mentioned.  create all of the accounts, groups, etc in domainone like they are in domaintwo
2) migrate user by user over to new domain in a seemless manner (how to do that will be below)
3) Do not touch the subnetting the way it currently is structured.  It'll mess up networking.  Network subnetting and Windows domains are different.  You are right that information is in the Sites and Services.  By default in there you will see only a single site.  Create a second one for "site2".  then assign the subnets in the Site and Services tool according to how they are assigned on your networks.  what this does is help each site's hosts know which services to prefer (e.g. authenticate against local DC rather than across vpn link)

now you might be able to get a short term fix going but I unfortunately don't have a ton of experience with it and none with the scenario you're trying to do.  But first, are the two domains in the same forest already or in different forests.  If in different forests then you can create a cross-forest trust between them via AD domains and trusts.  If they are in the same forest already, you might be able to already reference those accounts, but only if the ERP ldap authentication integration allows for passage of the domain information as well.  Like I said, I don't know if that will work or not though.

as to seemlessly moving an account from one domain to another, its actually very simple.  This makes it so the current user desktop is all there and IS exactly the way it is now for them; no copying, reconfiguring settings, etc.

1) Note what the current path is to their user profile path; at cli do "echo %userprofile%"
2) unjoin pc from current domain
3) join pc to new domain
4) have user log in to pc on new domain
5) note what the current path is to their user profile path; same cmd as step 1
6) log user out and login with a different "admin level" account
7) Change the permissions on the userprofile folder you recorded in step 1 so that the user you setup in the new domain has the permissions the old domain user had.  
NOTE:  make sure to check the box to have permissions applied to all subfolders and files as well so it may take a while to complete depending on the number of files the user has
8) open regedit
9) go to HKEY_USERS > ### > Volatile Environment  (looks like this is it in win7)
    you'll have to go thru the various "folders" with the SIDs to find which one is for your new domain user.  the userprofile key should match what you retrieved in step 5
10) after you've identified the correct SID in the HKEY_USERS hive, modify the necessary keys so that they reference the profile path you recorded in step 1.  all of them I could find were in the volatile environment folder so you shouldn't have to search around
11) logout and have user log back in
7) go into the registry
0
 

Author Comment

by:-Darvin-
Comment Utility
The domains are in separate forests.  This is a company we purchased earlier this year so we were completely separate until recently.

I haven't been able to get this working in a test environment yet.  I installed a new server at the remote site, but it can not log into the domain at primary site to become a member server.  It can't find a srv record for domainone.com.  I am wondering if this may be due to addressing.  I mentioned this in my original question but it is unclear to me.  Currently Domainone.com has a 192.168.1.0/24 address where Domaintwo.com is 10.0.0.0/24.

This is the way our currently wan connection works through those address spaces.  So, it may be that I can not test until we are in the same address space.  192.168.1.0/24 and 192.168.2.0/24 for example.  Is that right??  In order to be a valid subnet wouldn't the mask need to be /23??  Isn't 192.168.1.0/23 and 192.168.2.0/23 a valid mask for that subnet??
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
No, addressing has absolutely nothing to do with it.  For that site2 domain1 DC to connect, you need to ensure that it uses a DC-DNS from domain1.  This might require a site-to-site vpn being built between your two sites if one doesn't already exist.  Make sure that the server you're setting can use the domain1 dns servers by issuing a command like

nslookup www.google.com 192.168.1.x

where x is the ip specific to the dns host.  if that doesn't work you can't connect the new server to the domain.  that must be rectified first.  But trust me, do NOT put both sites into the exact same subnet.  Then you for sure will not get things working.
0
 

Author Comment

by:-Darvin-
Comment Utility
Thank you, I did the local address conversion this last weekend and that went well.  This upcoming weekend I will be setting up the other site and will do as you suggested.  Once that is complete I'll revisit this thread.  Thanks for your help so far!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Synchronize a new Active Directory domain with an existing Office 365 tenant
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now