Joining two separate domains into one AD Sites and Services?

I have been really struggling with what to do.  I don't know if this is the appropriate place to ask the question but I don't have much in the way of options.

I have two locations that currently operate independently.  We can call them (main office) and (remote manufacturing).  They both are on seperate /24 networks.

Each has it's own domain controller, terminal server, exchange server, and ERP.  All running Server 2008 R2.

We are currently connected to one another through two Talari boxes (think VPN tunnel using multiple ISP's with a sprinkle of wan op).  So we can access resources on both ends through this tunnel but can not resolve names.

The ERP application is being consolidated into one Database so must be served out of one location. will access this ERP application via published app in terminal services at

The goal is to provide the users in with the best experience possible while also saving money and lowering support needs at  My initial plan had all data moving from to and having use resources entirely through TerminalServices.  We do that now with another (smaller) site and that works well.  I worry about performance however, and various other issues that may crop up.  

It was suggested to me that instead it would be best to set up a new domain controller at and join that domain controller to  Use migration tools or manually re-create the AD accounts for users who were previously  Also, we would need to create PST files for all mailboxes to import into for the newly created mailboxes.  We would then need to re-auth all clients to the new controller on site.

I believe this would use AD sites and services, but what about addressing?  Will I need to change addressing on both sites?  As I said each runs it's own /24 now.  If we pulled them both under one /24 address space 253 addresses would be a bit tight but doable.  Is it possible to run AD Sites and Services with each side having separate class and not really sub-netted?

Example being site A and B being  From what I understand that isn't sub-netting as each is it's own class C with a 24 bit mask.  To subnet properly I would need a /23 or /22 correct??

I have been struggling with what to do and second guessing myself too long.  Any advice or thoughts on this would be welcome at this point.
Who is Participating?
here is what I would do in your case.  I do believe your mostly in the right direction though.

1)  setup a new DC like you mentioned.  create all of the accounts, groups, etc in domainone like they are in domaintwo
2) migrate user by user over to new domain in a seemless manner (how to do that will be below)
3) Do not touch the subnetting the way it currently is structured.  It'll mess up networking.  Network subnetting and Windows domains are different.  You are right that information is in the Sites and Services.  By default in there you will see only a single site.  Create a second one for "site2".  then assign the subnets in the Site and Services tool according to how they are assigned on your networks.  what this does is help each site's hosts know which services to prefer (e.g. authenticate against local DC rather than across vpn link)

now you might be able to get a short term fix going but I unfortunately don't have a ton of experience with it and none with the scenario you're trying to do.  But first, are the two domains in the same forest already or in different forests.  If in different forests then you can create a cross-forest trust between them via AD domains and trusts.  If they are in the same forest already, you might be able to already reference those accounts, but only if the ERP ldap authentication integration allows for passage of the domain information as well.  Like I said, I don't know if that will work or not though.

as to seemlessly moving an account from one domain to another, its actually very simple.  This makes it so the current user desktop is all there and IS exactly the way it is now for them; no copying, reconfiguring settings, etc.

1) Note what the current path is to their user profile path; at cli do "echo %userprofile%"
2) unjoin pc from current domain
3) join pc to new domain
4) have user log in to pc on new domain
5) note what the current path is to their user profile path; same cmd as step 1
6) log user out and login with a different "admin level" account
7) Change the permissions on the userprofile folder you recorded in step 1 so that the user you setup in the new domain has the permissions the old domain user had.  
NOTE:  make sure to check the box to have permissions applied to all subfolders and files as well so it may take a while to complete depending on the number of files the user has
8) open regedit
9) go to HKEY_USERS > ### > Volatile Environment  (looks like this is it in win7)
    you'll have to go thru the various "folders" with the SIDs to find which one is for your new domain user.  the userprofile key should match what you retrieved in step 5
10) after you've identified the correct SID in the HKEY_USERS hive, modify the necessary keys so that they reference the profile path you recorded in step 1.  all of them I could find were in the volatile environment folder so you shouldn't have to search around
11) logout and have user log back in
7) go into the registry
-Darvin-Author Commented:
The domains are in separate forests.  This is a company we purchased earlier this year so we were completely separate until recently.

I haven't been able to get this working in a test environment yet.  I installed a new server at the remote site, but it can not log into the domain at primary site to become a member server.  It can't find a srv record for  I am wondering if this may be due to addressing.  I mentioned this in my original question but it is unclear to me.  Currently has a address where is

This is the way our currently wan connection works through those address spaces.  So, it may be that I can not test until we are in the same address space. and for example.  Is that right??  In order to be a valid subnet wouldn't the mask need to be /23??  Isn't and a valid mask for that subnet??
No, addressing has absolutely nothing to do with it.  For that site2 domain1 DC to connect, you need to ensure that it uses a DC-DNS from domain1.  This might require a site-to-site vpn being built between your two sites if one doesn't already exist.  Make sure that the server you're setting can use the domain1 dns servers by issuing a command like

nslookup 192.168.1.x

where x is the ip specific to the dns host.  if that doesn't work you can't connect the new server to the domain.  that must be rectified first.  But trust me, do NOT put both sites into the exact same subnet.  Then you for sure will not get things working.
-Darvin-Author Commented:
Thank you, I did the local address conversion this last weekend and that went well.  This upcoming weekend I will be setting up the other site and will do as you suggested.  Once that is complete I'll revisit this thread.  Thanks for your help so far!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.